Solved: Parser finding time but not date.

inglisn · ‎03-28-2012

I have an event that starts something like this:

2012-03-20 06:07:00.000,BLANK,11.12.13.14,,,IP,Linux hostname 2.6.18-194.el5 1 SMP Tue Mar 16 21:52:39 EDT 2010 x86 64,

The first field is the timestamp of the event, I've inserted a blank value to separate it from the IP it seemed to not be identifying that as a proper timestamp. The problem I've got is the parser is using the time portion of the timestamp (06:07:00) but the date from the kernel string ( "Mar 16 .... 2010" ).

Within inputs.conf I've tried adding a prefix to lock the lookahead to the start of the event and not look beyond the end of the timestamp, but it still picks out the wrong thing.

TIME_FORMAT = %Y-%m-%d %H:%M:$S.000
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25

lguinn2 · ‎03-28-2012

These are good settings, but they belong in props.conf, not inputs.conf. And the stanza header for props.conf is a little different.

[yourSourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S.000
MAX_TIMESTAMP_LOOKAHEAD = 25

should do it. You might not even need the time format.

View solution in original post

lguinn2 · ‎03-28-2012

These are good settings, but they belong in props.conf, not inputs.conf. And the stanza header for props.conf is a little different.

[yourSourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S.000
MAX_TIMESTAMP_LOOKAHEAD = 25

should do it. You might not even need the time format.

inglisn · ‎03-29-2012

Doh!

Thanks.

Parser finding time but not date.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Parser finding time but not date.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine