Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Difficulty in Timestamp Recongnition

melonman
Motivator
‎09-03-2010 05:48 AM

Hi there,

I am trying to have splunk know the right timestamp in the following event.

COR_00000001,Com1,LOC_00000001,DC1,SUB_00000001,21F,GRP_00000001,Rack1,CON_00000001,Saving,8A0000000521A81D_1,2010/09/03,3F PW System,Powe,8A0000000521A81D_1,kWh,2010/09/03 00:00:00,15,83946325

There is a .csv file, and there are a header line at the first line and the rest of the lines are similar to the event above.

The correct timestamp is "2010/09/03 00:00:00" which is in %Y/%m/%d %H:%M:%S format.

My props.conf looks like the follwing, but I can not get the right timestamp.

[source::<path>]
CHECK_FOR_HEADER=false

[<sourcetype>]
SHOULD_LINEMERGE = False
BREAK_ONLY_BEFORE_DATE = False
TIME_FORMAT = %Y/%m/%d %H:%M:%S

Could anyone help me out?

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎09-03-2010 01:54 PM

I would also recommend that you add sourcetype = <sourcetype> in your [source::<path>] stanza. Otherwise you risk the wrong sourcetype association and then your TIME_FORMAT and other sourcetype-based settings will not be applied. Splunk may be getting this right on it's own, but I've found it helpful to be explicit about sourcetype associations. That's my 2 cents.

0 Karma
Reply
Solved! Jump to solution
Solution

meno
Path Finder
‎09-03-2010 06:02 AM

I would first try it without TIME_FORMAT but increase:

MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.

Only if the result is still bad you might continue with TIME_FORMAT.

Reply
Solved! Jump to solution

melonman
Motivator
‎09-03-2010 06:40 AM

Thanks meno! it worked 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...