- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need help to get Timestamp correctly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data in the following format (Serv-U ftp log)
[5] Sun 01Jun08 00:24:04 - (000555) Connected to 76.76.76.76 (Local address 10.11.12.13)
I need help to get Splunk to get time correctly out of this.
Time is in this format (I think)
%d%b%y %T
So how to do it?
Automatically locate timestamp (default)
or
Timestamp is always prefaced by a pattern
I tried Auto and entered the date format in format field. It then complain about prefix?
If I select "Timestamp is always prefaced..." what then to fill in the filed?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).
If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar problem:
BREAK_ONLY_BEFORE=\d{7}
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%3N
TIME_PREFIX=\d{7}
Trying to parse out the millisecond timestamp from this log file, 9281736 :
9281736 : COUNT IN 1003
Tx: 01 04 00 71 00 02 21 d0 ...q..!.
Rx: 01 04 04 00 08 0a 28 7c f8
9282136 : COUNT IN 1003
Tx: 01 04 00 c9 00 02 a1 f5 ........
Rx: 01 04 04 00 08 00 00 7a 46
I suspect my TIME_FORMAT is wrong, because it breakes up events correctly.
Get the error of:
Could not use strptime to parse timestamp from ": COUNT 1003\n ......
Make sure a prefix pattern is
specified if the events don`t begin
with a timestamp.Failed to parse timestamp. Defaulting to file modtime.
Any suggestion would be much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nitrogaute
Using the answer space on a post isn't really the best (or appropriate) way to find a solution to an issue you're having on this site. Can you please post this as a separate question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little late, but I just dealt with this yesterday. This is what was in my props.conf on my indexers for the servu_logs sourcetype:
[servu_logs]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = [[\d]+]\s[\w]+\s
TIME_FORMAT = %d%b%y %H:%M:%S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).
If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, works perfect. I do added "regex" to the Timestamp field and "date format" in format field
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
