Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Day Of Month Field Without A Leading Zero

sajbutler
Path Finder
‎07-04-2012 08:58 PM

I have a log which contains entries like the following:

(3/07/12 13:13:09) 8856: < RingBufferModule::initialize()
(3/07/12 13:13:09) 8857: Finished init of: 'RingBufferLoggingAppender'
(3/07/12 13:13:09) 8858: Initializing 'AudioPathController'
(3/07/12 13:13:09) 8859: Unable to find value for key: 'SrxSupervisorAudioEnable'

The date component is day/month/year. So in the above example, we have the 3rd July 2012. As you can see, the day of month (i.e. 3 in the above example) does not contain a leading zero. According to strptime, %d represents 01-31 and there seems to be nothing for 1-31. I've tried the following in props.conf but to no avail: 

TIME_FORMAT=%d%m/%g  %H:%M:%S

Any suggestions to this would be appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

itinney
Path Finder
‎07-05-2012 09:05 AM

You are missing a slash after the %d and before %m in your first post.
I always use %Y for four-digit year and %y for two-digit year.
%d is always zero-padded (03/07/12)
%e is space-padded ( 3/07/12)
I would try:

%e/%m/%y %H:%M:%S

OR

%e/%m/%y %T

View solution in original post

Reply
Solved! Jump to solution
Solution

itinney
Path Finder
‎07-05-2012 09:05 AM

You are missing a slash after the %d and before %m in your first post.
I always use %Y for four-digit year and %y for two-digit year.
%d is always zero-padded (03/07/12)
%e is space-padded ( 3/07/12)
I would try:

%e/%m/%y %H:%M:%S

OR

%e/%m/%y %T
Reply
Solved! Jump to solution

sajbutler
Path Finder
‎07-05-2012 10:52 PM

Missing slash. Ouch. The %e space pads and works fine. I can confirm that the following following config in props.conf works:
TIME_FORMAT=%e/%m/%g %H:%M:%S
TIME_PREFIX=[(]

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎07-04-2012 10:00 PM

There is a strange double space in your timeformat.

Also, you could try to add the characters around.

 

TIME_FORMAT=(%d/%m/%g %H:%M:%S)

0 Karma
Reply
Solved! Jump to solution

sajbutler
Path Finder
‎07-04-2012 11:24 PM

Thanks for the suggestions yannK.

I've removed the double space from the TIME_FORMAT and also tried enclosing in brackets but still no good.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...