Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Indexer not parsing 12 hour timestamp format

parth_jec
Path Finder
‎07-12-2012 11:58 AM

Hi,

I am using Universal forwarder (splunkforwarder-4.3.2-123586-x64-release) to forward multiple logs to the indexer (version 4.2.4, build 110225 ). For a particular log, I cannot see the logs indexed after 12:59 every day. For this log the timestamp format is a 12 hour format, Ex: 2012-07-12 01:00:16. However, all the other logs are forwarded properly from the same frowarder and they are using timestamp of 24 hour format, Ex: 2012-07-12 13:05:56.

How can I fix this?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 06:05 AM

Figured out the problem, the timestamp format in the log file was incorrect (It didn't had AM/PM). Chnaged the timestamp format to 24 hours and it works fine now.

Thanks,

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-13-2012 08:29 AM

What are your search time constraints? If you do an all time, real time search for the source of these events, do you see any data?

0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-12-2012 03:12 PM

I followed the link and created a props.conf in the local directory.

-props.conf-
[source::]
TIME_PREFIX = INFO
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%I

The log file event are like:
INFO 2012-06-25 04:11:00 – ToAdmin.....

I have added one blank space after INFO in the TIME_PREFIX but still can't see the logs.

  1. Which logs can I look for in the splunk to debug this?

  2. Can I use multiple prefixes separated by '|' something like TIME_PREFIX= INFO |WARN etc?

  3. Can you pls explain what log4cpp is and how would it impact the timestamp parsing?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...