Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to setup TIME_FORMAT with time and date in separate locations ?

winicd
New Member
‎03-25-2018 03:58 AM

I get trouble to setup TIME_FORMAT= ????, the documents help only if Date and time is in one line.

In my case : The log file is generateted from 00:00 to 23:59 date is 032318 in Filename.
on time format i get for each line in this log file timestamp but not date !
I need methode to move the Date from the filename to the TIME_FORMAT extraction for index all line with date and time.
sample : filesname : xxxx.020918_00004.log here we have the date only
The have starting line like : 13:00:11.588 [5636.5636] ...... here are the time stamps from 00:00 to 23:59 for each day
There no date in the file!
how do need to define the TIME_FORMATE in props.conf for this case ?
TIME_FORMAT= %H:%M:%S ..... missing the DATE ? for correct indexing
this is a question about application NETbackup from Veritas and his logs
on files in /usr/openv/netbackup/logs >>> date in logfilename >> time in logfile
on files in /usr/openv/logs >> we have unixtime time and date in log file this no proplem !

Thank in advanced,

Darius

0 Karma
Reply

Azeemering
Builder
‎03-25-2018 06:59 AM

If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

In general I would just define TIME_FORMAT as H:M:S.%3N in this case.
What happens when you try it with a sample?
I have done a few times and every time splunk was able to pick up the date from the file name.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...