Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difficulty in Timestamp Recongnition

melonman
Motivator
‎09-03-2010 05:48 AM

Hi there,

I am trying to have splunk know the right timestamp in the following event.

COR_00000001,Com1,LOC_00000001,DC1,SUB_00000001,21F,GRP_00000001,Rack1,CON_00000001,Saving,8A0000000521A81D_1,2010/09/03,3F PW System,Powe,8A0000000521A81D_1,kWh,2010/09/03 00:00:00,15,83946325

There is a .csv file, and there are a header line at the first line and the rest of the lines are similar to the event above.

The correct timestamp is "2010/09/03 00:00:00" which is in %Y/%m/%d %H:%M:%S format.

My props.conf looks like the follwing, but I can not get the right timestamp.

[source::<path>]
CHECK_FOR_HEADER=false

[<sourcetype>]
SHOULD_LINEMERGE = False
BREAK_ONLY_BEFORE_DATE = False
TIME_FORMAT = %Y/%m/%d %H:%M:%S

Could anyone help me out?

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎09-03-2010 01:54 PM

I would also recommend that you add sourcetype = <sourcetype> in your [source::<path>] stanza. Otherwise you risk the wrong sourcetype association and then your TIME_FORMAT and other sourcetype-based settings will not be applied. Splunk may be getting this right on it's own, but I've found it helpful to be explicit about sourcetype associations. That's my 2 cents.

0 Karma
Reply
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

Reply
Solved! Jump to solution

melonman
Motivator
‎09-03-2010 06:40 AM

Thanks meno! it worked 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...