Getting Data In

Escape backslash in TIME_FORMAT field of props.conf

ramanjain1983
Path Finder

Hey,

I know it is a seriously simple question but I am having a hard time with the below timestamp extraction.

the log looks like :-

01.04.14 11:09:24 AM [Storage 1312312312] skfnskfnksfnksdnfsdnfksdnfksdnflksdnfklsdf

I am defining my source type for this as :-

MY SOURCETYPE

BREAK_ONLY_BEFORE=\d{1,2}.\d{1,2}.\d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2} [APap][Mm] [

NO_BINARY_CHECK=1

SHOULD_LINEMERGE=true

TIME_FORMAT=%d.%m.%Y %I\:%M\:%S %p

TZ=Australia/Sydney

If you notice that I have got a backslash between the hour and minute digits. So I tried escaping it out with another backslash. I have also tried it without escaping it out as well. In both the cases Splunk only extracts the date and no proper time is getting extracted.

Are escaping allowed in TIME_FORMAT field? If yes what I am doing wrong here...can someone please provide some pointer.

Thanks

Tags (2)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust
BREAK_ONLY_BEFORE=\d{2}\.\d{2}\.\d{2}\s+\d{1,2}\\:\d{1,2}\\:\d{1,2}\s+[APap][Mm]
TIME_FORMAT=%m.%d.%y %I\:%M\:%S %p

You were using %Y not %y

View solution in original post

0 Karma

ramanjain1983
Path Finder

This worked. Thanks a lot JKAT54.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you please mark my answer as the solution? Thanks! - Jkat54

0 Karma

jkat54
SplunkTrust
SplunkTrust
BREAK_ONLY_BEFORE=\d{2}\.\d{2}\.\d{2}\s+\d{1,2}\\:\d{1,2}\\:\d{1,2}\s+[APap][Mm]
TIME_FORMAT=%m.%d.%y %I\:%M\:%S %p

You were using %Y not %y

0 Karma

ramanjain1983
Path Finder

How can I do this silly mistake ....

Anyways yes that was the only problem. Thanks a lot JKAT54.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Maybe add this to the end to fix your "\:"

SEDCMD=s/\\:/:/g

ramanjain1983
Path Finder

I just noticed that while posting I mentioned double backslash - one is there in the time string and another one i used to escape out. Looks like the formatting on the webpage already escaped it while presenting.

Actually the time format is like : dd.mm.yyyy hh\:mm\:ss AM so here you can see that I hace got backslash inbetween the hh and :mm

I dont see any problem with break before field but when i used the same technique for time format it did not work even after using the correct strftime. I have tried both ways -one by escaping it using additional backslash and without it as well.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It should not be necessary to escape the colon characters in either the TIME_FORMAT or BREAK_ONLY_BEFORE statements. Try this regex in BREAK_ONLY_BEFORE to see if it makes a difference:

\d{1,2}\.\d{1,2}\.\d{1,2} \d{1,2}:\d{1,2}:\d{1,2} [APap][Mm] \[
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...