Hey everyone. I am trying to add a time-format to my props.conf file. The source is a csv file containing multiple timestamps for each event. I'm only interested in the first one.
The timestamp looks like this in the event:
15:09:55.128 UTC AUG 31 2011
So in my props.conf I was planning to add something like this:
%H:%M:%S.%q%Z%tUTC%t%b%t%d%t%Y
Is there a more elegant way to handle the time zone being embedded in the middle? I can't find any reference in strptime() to dealing with time zones. Any help would be appreciated. I've tried letting splunk recognize the timestamp but it seems to be screwing up a bit.
Thanks!
I have been told that we use strftime for time formating and for reference in props.conf
http://php.net/manual/en/function.strftime.php
Based on your string -
15:09:55.128 UTC AUG 31 2011
Try this
%H:%M:%S.%3N UTC %h %d %Y
You also need to set the TIME_PREFIX = ^\d+?\s\w{4}:\s+?[ and possibly MAX_TIMESTAMP_LOOKAHEAD = 35 (number of characters to look into the line to find the timestamp
The day depends – is it 1-31 = %e or 01-31 = %d
According to strftime - %t is a tab, I think you just have spaces.