Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexer not parsing 12 hour timestamp format

parth_jec
Path Finder
‎07-12-2012 11:58 AM

Hi,

I am using Universal forwarder (splunkforwarder-4.3.2-123586-x64-release) to forward multiple logs to the indexer (version 4.2.4, build 110225 ). For a particular log, I cannot see the logs indexed after 12:59 every day. For this log the timestamp format is a 12 hour format, Ex: 2012-07-12 01:00:16. However, all the other logs are forwarded properly from the same frowarder and they are using timestamp of 24 hour format, Ex: 2012-07-12 13:05:56.

How can I fix this?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 06:05 AM

Figured out the problem, the timestamp format in the log file was incorrect (It didn't had AM/PM). Chnaged the timestamp format to 24 hours and it works fine now.

Thanks,

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-13-2012 08:29 AM

What are your search time constraints? If you do an all time, real time search for the source of these events, do you see any data?

0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-12-2012 03:12 PM

I followed the link and created a props.conf in the local directory.

-props.conf-
[source::]
TIME_PREFIX = INFO
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%I

The log file event are like:
INFO 2012-06-25 04:11:00 – ToAdmin.....

I have added one blank space after INFO in the TIME_PREFIX but still can't see the logs.

  1. Which logs can I look for in the splunk to debug this?

  2. Can I use multiple prefixes separated by '|' something like TIME_PREFIX= INFO |WARN etc?

  3. Can you pls explain what log4cpp is and how would it impact the timestamp parsing?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...