Hi everyone,
Can someone tell me what I'm suppose to edit in my datetime.xml file for my custom date and time to be recognized in Splunk? Here is example of a log:
I have tried:
datetime.xml
<datetime>
<define name="Date" extract="year, month, day">
<text>\<DATE>(\d{4})(\d{2})(\d{2})</text>
</define>
<define name="Time" extract="hour, minute, second">
<text>\<TIME>(\d{2})(\d{2})(\d{2})</text>
</define>
<timePatterns>
<use name="Time"/>
</timePatterns>
<datePatterns>
<use name="Date"/>
</datePatterns>
</datetime>
props.conf
DATETIME_CONFIG = /etc/system/local/datetime.xml
I think I'm missing something here....
Thanks, cheers
Once you switch to datetime.xml
, the other time configurations do not work.
DO NOT EDIT /etc/system/local/datetime.xml
!
Create a new file inside of your app:
/etc/apps/YourApp/default/datetime.xml
In any case, you don't need a custom datetime.xml
and I wouldn't do it that way because it is complicated and unnecessary.
In props.conf all you should need is this:
TIME_PREFIX = "<LOG><DATE>"
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 27
This, of course, presumes that you have event line-breaking
working correctly.
Once you switch to datetime.xml
, the other time configurations do not work.
DO NOT EDIT /etc/system/local/datetime.xml
!
Create a new file inside of your app:
/etc/apps/YourApp/default/datetime.xml
In any case, you don't need a custom datetime.xml
and I wouldn't do it that way because it is complicated and unnecessary.
In props.conf all you should need is this:
TIME_PREFIX = "<LOG><DATE>"
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 27
This, of course, presumes that you have event line-breaking
working correctly.
i succeeded with :
TIME_PREFIX = DATE>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
Thanks for datetime.xml tips.
cheers
Hey.
I have the same issue, but the date and time fields are on separate lines. How would you solve this?
...
<Date>20151130</Date>
<Time>082327</Time>
<Client>600</Client>
...
thanks
Markus
I just got the answer by myself:
TIME_FORMAT = %Y%m%d</DATE>%n<TIME>%H%M%S
I changed it few times, and now looks like this and again splunk does not recognize date and time... any ideas?
First I did it with this props.conf:
DATETIME_CONFIG = C:\Program Files\Splunk\etc\system\local\datetime.xml
Second time with this props.conf:
DATETIME_CONFIG = C:\Program Files\Splunk\etc\system\local\datetime.xml
TIME_PREFIX = DATE\>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
And my datetime.xml looks like this now :
<?xml version="1.0" encoding="UTF-8"?>
<datetime>
<define name="_Date" extract="year, month, day">
<text>\DATE>(\d{4})(\d{2})(\d{2})</text>
</define>
<define name="_Time" extract="hour, minute, second">
<text>\TIME>(\d{2})(\d{2})(\d{2})</text>
</define>
<timePatterns>
<use name="_Date"/>
<use name="_Time"/>
</timePatterns>
<datePatterns>
<use name="_Date"/>
<use name="_Time"/>
</datePatterns>
</datetime>