- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need help to get Timestamp correctly,please
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help to get Timestamp correctly,please
I have data in the following:
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00133]->Dumpmsg begin
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00182]->DbsDumpmsg delete succ
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00282]->Dumpmsg end
host=ICSPSD instId=0001 ptime=2015-05-06 14:43:46,083 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144345:643][ Dumpmsg.c][00133]->Dumpmsg begin
Timestamp like this "[0506 144145:629]" ,however I cannot get it.
The way I try like this:
TIME_FORMAT= %m%d %H%M%S:%3N
TIME_PREFIX= msg=[\d+][ (pay attention "backslash" cannot show in the question,but I have done it)
MAX_TIMESTAMP_LOOKAHEAD=15
So what cant I do ? I need help to get Splunk to get time correctly.Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Take a look at your TIME_FORMAT= %m%d %H%M%S:%3N and your data (0506 144145:629). I think in your TIME_FORMAT you did not well specify which values you need as the month, day, ........
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,everyone.I have solved the problem by myself.The TIME_FORMAT= %m%d %H%M%S:%3N ,and my date (0506 144145:629) just mean "May 6th 14h:41min:45s,629" .
That's right, no problem.My mistake, which miss [sourcetype_name] in props.conf.So,the configuration has no effect.I am so sorry.Please,don't make the same mistakes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah,I think the TIME_FORMAT could be wrong.But, I really donot know what is the matter and I have no way to get it correctly,please give me some advice,thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. In (0506 144145:629), let me know which digits represent the year, the month, the day, the hour and the seconds
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
