Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Indexer not parsing 12 hour timestamp format

parth_jec
Path Finder
‎07-12-2012 11:58 AM

Hi,

I am using Universal forwarder (splunkforwarder-4.3.2-123586-x64-release) to forward multiple logs to the indexer (version 4.2.4, build 110225 ). For a particular log, I cannot see the logs indexed after 12:59 every day. For this log the timestamp format is a 12 hour format, Ex: 2012-07-12 01:00:16. However, all the other logs are forwarded properly from the same frowarder and they are using timestamp of 24 hour format, Ex: 2012-07-12 13:05:56.

How can I fix this?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-12-2012 12:55 PM

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 06:05 AM

Figured out the problem, the timestamp format in the log file was incorrect (It didn't had AM/PM). Chnaged the timestamp format to 24 hours and it works fine now.

Thanks,

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-13-2012 08:29 AM

What are your search time constraints? If you do an all time, real time search for the source of these events, do you see any data?

0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-12-2012 03:12 PM

I followed the link and created a props.conf in the local directory.

-props.conf-
[source::]
TIME_PREFIX = INFO
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%I

The log file event are like:
INFO 2012-06-25 04:11:00 – ToAdmin.....

I have added one blank space after INFO in the TIME_PREFIX but still can't see the logs.

  1. Which logs can I look for in the splunk to debug this?

  2. Can I use multiple prefixes separated by '|' something like TIME_PREFIX= INFO |WARN etc?

  3. Can you pls explain what log4cpp is and how would it impact the timestamp parsing?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...