Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difficulty in Timestamp Recongnition

melonman
Motivator
‎09-03-2010 05:48 AM

Hi there,

I am trying to have splunk know the right timestamp in the following event.

COR_00000001,Com1,LOC_00000001,DC1,SUB_00000001,21F,GRP_00000001,Rack1,CON_00000001,Saving,8A0000000521A81D_1,2010/09/03,3F PW System,Powe,8A0000000521A81D_1,kWh,2010/09/03 00:00:00,15,83946325

There is a .csv file, and there are a header line at the first line and the rest of the lines are similar to the event above.

The correct timestamp is "2010/09/03 00:00:00" which is in %Y/%m/%d %H:%M:%S format.

My props.conf looks like the follwing, but I can not get the right timestamp.

[source::<path>]
CHECK_FOR_HEADER=false

[<sourcetype>]
SHOULD_LINEMERGE = False
BREAK_ONLY_BEFORE_DATE = False
TIME_FORMAT = %Y/%m/%d %H:%M:%S

Could anyone help me out?

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎09-03-2010 01:54 PM

I would also recommend that you add sourcetype = <sourcetype> in your [source::<path>] stanza. Otherwise you risk the wrong sourcetype association and then your TIME_FORMAT and other sourcetype-based settings will not be applied. Splunk may be getting this right on it's own, but I've found it helpful to be explicit about sourcetype associations. That's my 2 cents.

0 Karma
Reply
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

Reply
Solved! Jump to solution

melonman
Motivator
‎09-03-2010 06:40 AM

Thanks meno! it worked 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...