Extract timestamp without date?

Toups · ‎12-02-2010

Preface: The timestamp is in HHMM format from the source, year/month/day information is not provided. The data is provided via a TCP string from a CDR log.

I have the following input string:

"\x00\x00\x00130000059  C9E840    1210....."

I have added entries to the local props.com as follows:

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue: timestamps appear to work fine EXCEPT for the first 5 minutes of each hour. In the example above the timestamp is 4 digits log starting after position 12 with a value of "1300" however splunk is decoding the timestamp as "1359" instead of "1300" as defined. Once time reaches 6 minutes past the hour, the timestamp works as expected producing a timestamp of "1306"; an example is:

"\x00\x00\x00130600869  C9E820     713....."

Any assistance is greatly appreciated.

Toups · ‎12-03-2010

Updated from version 4.1.5 to 4.1.6 and updated the local props.conf as follows, then restarted Splunk.

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue appears to be resolved in cursory testing, however I will edit/update accordingly after additional testing has been verified.

Extract timestamp without date?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!