- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need help to get Timestamp correctly,please
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help to get Timestamp correctly,please
I have data in the following:
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00133]->Dumpmsg begin
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00182]->DbsDumpmsg delete succ
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00282]->Dumpmsg end
host=ICSPSD instId=0001 ptime=2015-05-06 14:43:46,083 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144345:643][ Dumpmsg.c][00133]->Dumpmsg begin
Timestamp like this "[0506 144145:629]" ,however I cannot get it.
The way I try like this:
TIME_FORMAT= %m%d %H%M%S:%3N
TIME_PREFIX= msg=[\d+][ (pay attention "backslash" cannot show in the question,but I have done it)
MAX_TIMESTAMP_LOOKAHEAD=15
So what cant I do ? I need help to get Splunk to get time correctly.Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Take a look at your TIME_FORMAT= %m%d %H%M%S:%3N and your data (0506 144145:629). I think in your TIME_FORMAT you did not well specify which values you need as the month, day, ........
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,everyone.I have solved the problem by myself.The TIME_FORMAT= %m%d %H%M%S:%3N ,and my date (0506 144145:629) just mean "May 6th 14h:41min:45s,629" .
That's right, no problem.My mistake, which miss [sourcetype_name] in props.conf.So,the configuration has no effect.I am so sorry.Please,don't make the same mistakes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah,I think the TIME_FORMAT could be wrong.But, I really donot know what is the matter and I have no way to get it correctly,please give me some advice,thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. In (0506 144145:629), let me know which digits represent the year, the month, the day, the hour and the seconds
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
