Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help to get Timestamp correctly

lakromani
Builder
‎06-17-2014 09:05 AM

I have data in the following format (Serv-U ftp log)

[5] Sun 01Jun08 00:24:04 - (000555) Connected to 76.76.76.76 (Local address 10.11.12.13)

I need help to get Splunk to get time correctly out of this.

Time is in this format (I think)

%d%b%y %T

So how to do it?

Automatically locate timestamp (default)

or
Timestamp is always prefaced by a pattern

I tried Auto and entered the date format in format field. It then complain about prefix?

If I select "Timestamp is always prefaced..." what then to fill in the filed?

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎06-17-2014 09:16 AM

Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).

If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)

View solution in original post

Reply
Solved! Jump to solution

nitrogaute
New Member
‎10-28-2014 03:58 AM

I have a similar problem:

BREAK_ONLY_BEFORE=\d{7}
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%3N
TIME_PREFIX=\d{7}

Trying to parse out the millisecond timestamp from this log file, 9281736 :

  9281736 : COUNT IN 1003
Tx:   01 04 00 71 00 02 21 d0                              ...q..!.
Rx:   01 04 04 00 08 0a 28 7c f8    
  9282136 : COUNT IN 1003
Tx:   01 04 00 c9 00 02 a1 f5                              ........
Rx:   01 04 04 00 08 00 00 7a 46

I suspect my TIME_FORMAT is wrong, because it breakes up events correctly.
Get the error of:

Could not use strptime to parse timestamp from ": COUNT 1003\n ......
Make sure a prefix pattern is
specified if the events don`t begin
with a timestamp.

Failed to parse timestamp. Defaulting to file modtime.

Any suggestion would be much appreciated!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-29-2014 06:32 PM

Hi @nitrogaute

Using the answer space on a post isn't really the best (or appropriate) way to find a solution to an issue you're having on this site. Can you please post this as a separate question?

0 Karma
Reply
Solved! Jump to solution

hortonew
Builder
‎10-08-2014 08:17 AM

I'm a little late, but I just dealt with this yesterday. This is what was in my props.conf on my indexers for the servu_logs sourcetype:

[servu_logs]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+)

TIME_PREFIX = [[\d]+]\s[\w]+\s

TIME_FORMAT = %d%b%y %H:%M:%S

0 Karma
Reply
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎06-17-2014 09:16 AM

Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).

If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)

Reply
Solved! Jump to solution

lakromani
Builder
‎06-17-2014 11:06 AM

Thanks, works perfect. I do added "regex" to the Timestamp field and "date format" in format field

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...