Solved: How Do I get Splunk to Recognize a Log TimeStamp a...

skoelpin · ‎06-02-2016

I have log data that has a timestamp in this format 20160530/001020.670

I uploaded the log directly into Splunk to test with and Splunk is ignoring the timestamp and assigning it's own timestamp which does not match the log data.

I cleared the data from that index and re-uploaded the data and currently on the 'Set Sourcetype' step. There's a section labeled 'Timestamp' which has 'Timestamp format' , 'Timestamp prefix' , and 'Lookahead'..

My question

How can I get Splunk to recognize the timestamp 20160530/001020.670 and convert it to 5/30/16 12:10:20.670 AM?

somesoni2 · ‎06-02-2016

Use this

TIME_FORMAT=%Y%m%d/%H%M%S.%3N
TIME_PREFEX=set as per your log
MAX_TIMESTAMP_LOOKAHEAD=17

View solution in original post

somesoni2 · ‎06-02-2016

Use this

TIME_FORMAT=%Y%m%d/%H%M%S.%3N
TIME_PREFEX=set as per your log
MAX_TIMESTAMP_LOOKAHEAD=17

How Do I get Splunk to Recognize a Log TimeStamp and Convert it?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation