Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is the configuration for my timestamp correct?

patriziadepaola
Explorer
‎12-07-2016 02:59 AM

I have a problem with the right extraction of timestamp in a log file. The string example of my log :

161206 152835 LNX64 3 PWX-36145 ORAD Info Mbr 2: +   Low SCN 6120947915182. Low SCN Time 12/06/2016 14:58:17.
161206 152835 LNX64 3 PWX-36146 ORAD Info Mbr 2: +   Next SCN 6120950880737. Next SCN Time 12/06/2016 15:27:58.
161206 152900 LNX64 3 PWX-36117 ORAD Info Mbr 3: Reader is waiting for log sequence 36736 with start SCN 6120950700533 to be archived.
161206 152908 LNX64 3 PWX-36440 ORAD Info: Monitor messages begin (2016/12/06 15:29:08).
161206 152908 LNX64 3 PWX-36441 ORAD Info: Interval return counts: no data 114, commits 32717, inserts 35394, updates 5898, deletes 118.
161206 152908 LNX64 3 PWX-36442 ORAD Info: Interval TMGR counts: no data 124, transaction control 529871, operations 109033, other 0.

this my props.conf :

[etl-pwxccl_log2]
CHARSET = UTF-8
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 14
TIME_FORMAT = %Y%m%d %H%M%S
SHOULD_LINEMERGE = false
disabled = false
REPORT-pwxccl = etl-pwxxccl-fields

this my transforms.conf:

[etl-pwxxccl-fields]
REGEX=  ^(?P\d+)\s+(?P\d+)\s+(?P.+) 

FORMAT = DATA::"$1" ORA::"$2" MESSAGE::"$3"

WRITE_META=1

With this configuration the extraction of date is correct but is the time incorrect (recovered in other places of the log line?)

Can someone help me?

0 Karma
Reply

sundareshr
Legend
‎12-07-2016 05:42 AM

Since its 2-digit year (YY), try lower case %y. Like this %y%m%d %H%M%S

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...