I have data in the following:
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00133]->Dumpmsg begin
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00182]->DbsDumpmsg delete succ
host=ICSPSD instId=0001 ptime=2015-05-06 14:41:46,323 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144145:629][ Dumpmsg.c][00282]->Dumpmsg end
host=ICSPSD instId=0001 ptime=2015-05-06 14:43:46,083 modName=icsfront logType=app ip=199.0.45.171 msg=[004127][0506 144345:643][ Dumpmsg.c][00133]->Dumpmsg begin
Timestamp like this "[0506 144145:629]" ,however I cannot get it.
The way I try like this:
TIME_FORMAT= %m%d %H%M%S:%3N
TIME_PREFIX= msg=[\d+][ (pay attention "backslash" cannot show in the question,but I have done it)
MAX_TIMESTAMP_LOOKAHEAD=15
So what cant I do ? I need help to get Splunk to get time correctly.Thanks.
Hello! Take a look at your TIME_FORMAT= %m%d %H%M%S:%3N and your data (0506 144145:629). I think in your TIME_FORMAT you did not well specify which values you need as the month, day, ........
Thanks
Thanks,everyone.I have solved the problem by myself.The TIME_FORMAT= %m%d %H%M%S:%3N ,and my date (0506 144145:629) just mean "May 6th 14h:41min:45s,629" .
That's right, no problem.My mistake, which miss [sourcetype_name] in props.conf.So,the configuration has no effect.I am so sorry.Please,don't make the same mistakes.
Yeah,I think the TIME_FORMAT could be wrong.But, I really donot know what is the matter and I have no way to get it correctly,please give me some advice,thanks.
Ok. In (0506 144145:629), let me know which digits represent the year, the month, the day, the hour and the seconds