Having difficulties with a date/time conversion?

NanSplk01 · ‎03-27-2023

I have been trying to create this sourcetype and am not sure I'm capturing it correctly.

Sample date: [2023-03-26T14:06:06.356-04:00]

Regex Breakdown: \[\d{4}-\d{2}-\d{2}.\d{2}:\d{2}:\d{2}.\d{3}-\d{2}:\d{2}]

Timestamp: %Y-%m-%d{2}\T\d{2}:%H%:%M.%S.%N-\d{2}:\d{2}

But I'm having issues with the timestamp value. I've not run into one that has no breaks in it before. Any help will be much appreciated.

yeahnah · ‎03-27-2023

Hi @NanSplk01

The regex looks OK, but time format variables used are wrong. Here's the Splunk doc ref

This should work for you

Timestamp: %Y-%m-%dT%H:%M:%S.%3N%z

Hope that helps

Are you a member of the Splunk Community?