Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse the date_time and event_time fields from my raw data in PSV format?

shivarpith
Path Finder
‎06-09-2015 08:56 AM

hi,

i have some mainframe logs coming into splunk which is in PSV (pipe separated value) format. have managed to parse all of the data successfully, but the date_time and Event_time fields are showing dates as 31 dec, 1969 and 1970, but in the log file, it's dated april to june of 2015.

sample log:

IN|15080|830828|V014MSNY|B014MU01|CAL0Q14|DPNT1|PSABTSR1|||0000000|DDTD34|FAIL|10|012||||x980|USER|
0 Karma
Reply

woodcock
Esteemed Legend
‎06-09-2015 09:40 AM

You need to tell Splunk how to interpret the timestamp in each event as documented here:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Handleeventtimestamps

Just by looking at your event, I have no idea how to interpret your timestamps so I assume Splunk is treating them as epoch which is giving a time way in the past.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...