Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract timestamp without date?

Toups
Explorer
‎12-02-2010 07:40 PM

Preface: The timestamp is in HHMM format from the source, year/month/day information is not provided. The data is provided via a TCP string from a CDR log.

I have the following input string:

"\x00\x00\x00130000059  C9E840    1210....."

I have added entries to the local props.com as follows:

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue: timestamps appear to work fine EXCEPT for the first 5 minutes of each hour. In the example above the timestamp is 4 digits log starting after position 12 with a value of "1300" however splunk is decoding the timestamp as "1359" instead of "1300" as defined. Once time reaches 6 minutes past the hour, the timestamp works as expected producing a timestamp of "1306"; an example is:

"\x00\x00\x00130600869  C9E820     713....."

Any assistance is greatly appreciated.

Tags (2)
Reply

Toups
Explorer
‎12-03-2010 07:22 PM

Updated from version 4.1.5 to 4.1.6 and updated the local props.conf as follows, then restarted Splunk.

[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M

The issue appears to be resolved in cursory testing, however I will edit/update accordingly after additional testing has been verified.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...