Extract timestamp without date?

Toups · ‎12-02-2010

Preface: The timestamp is in HHMM format from the source, year/month/day information is not provided. The data is provided via a TCP string from a CDR log.

I have the following input string:

"\x00\x00\x00130000059  C9E840    1210....."

I have added entries to the local props.com as follows:

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue: timestamps appear to work fine EXCEPT for the first 5 minutes of each hour. In the example above the timestamp is 4 digits log starting after position 12 with a value of "1300" however splunk is decoding the timestamp as "1359" instead of "1300" as defined. Once time reaches 6 minutes past the hour, the timestamp works as expected producing a timestamp of "1306"; an example is:

"\x00\x00\x00130600869  C9E820     713....."

Any assistance is greatly appreciated.

Toups · ‎12-03-2010

Updated from version 4.1.5 to 4.1.6 and updated the local props.conf as follows, then restarted Splunk.

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue appears to be resolved in cursory testing, however I will edit/update accordingly after additional testing has been verified.