Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need help to get Timestamp correctly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data in the following format (Serv-U ftp log)
[5] Sun 01Jun08 00:24:04 - (000555) Connected to 76.76.76.76 (Local address 10.11.12.13)
I need help to get Splunk to get time correctly out of this.
Time is in this format (I think)
%d%b%y %T
So how to do it?
Automatically locate timestamp (default)
or
Timestamp is always prefaced by a pattern
I tried Auto and entered the date format in format field. It then complain about prefix?
If I select "Timestamp is always prefaced..." what then to fill in the filed?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).
If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem:
BREAK_ONLY_BEFORE=\d{7}
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%3N
TIME_PREFIX=\d{7}
Trying to parse out the millisecond timestamp from this log file, 9281736 :
9281736 : COUNT IN 1003
Tx: 01 04 00 71 00 02 21 d0 ...q..!.
Rx: 01 04 04 00 08 0a 28 7c f8
9282136 : COUNT IN 1003
Tx: 01 04 00 c9 00 02 a1 f5 ........
Rx: 01 04 04 00 08 00 00 7a 46
I suspect my TIME_FORMAT is wrong, because it breakes up events correctly.
Get the error of:
Could not use strptime to parse timestamp from ": COUNT 1003\n ......
Make sure a prefix pattern is
specified if the events don`t begin
with a timestamp.Failed to parse timestamp. Defaulting to file modtime.
Any suggestion would be much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nitrogaute
Using the answer space on a post isn't really the best (or appropriate) way to find a solution to an issue you're having on this site. Can you please post this as a separate question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little late, but I just dealt with this yesterday. This is what was in my props.conf on my indexers for the servu_logs sourcetype:
[servu_logs]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = [[\d]+]\s[\w]+\s
TIME_FORMAT = %d%b%y %H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).
If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, works perfect. I do added "regex" to the Timestamp field and "date format" in format field
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
