Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pb with sourcetype and date format

lefelle
New Member
‎08-03-2016 05:02 AM

i have a file with field date like 03/08/2016 09:25 GMT+02:00

My sourcetype doesn't work with
%d/%m/%Y %H:%M %Z%z
\d{2}/\d{2}/\d{4} \d{2}:\d{2} \d{2}:\d{2}

I have Failed to parse timestamp. defaulting to file modtime

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 05:59 AM

Do you have any control over how the field is written? Splunk expects offsets in hhmm format rather than hh:mm.

Also, the regex string in your question doesn't match the sample date. Try \d{2}\/\d{2}\/\d{4} \d{2}:\d{2} [A-Z]{3}\+\d{2}:\d{2}

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lefelle
New Member
‎08-03-2016 06:20 AM

it doens't work.
the message is :
could not use strptime to parse timestamp from ....
failed to parse timestamp

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 06:31 AM

One does not use regular expressions with strptime. I'm not sure what you're doing with it. I just wanted to point out it doesn't match your data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lefelle
New Member
‎08-03-2016 07:04 AM

In fact, i want to create a sourcetype to read my file. I selected Advance to define Format timestamp and Prefix timestamp. At this point, i have my parsing error.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 07:08 AM

That's probably because of the odd timestamp format. Do you have the ability to change it?
I've never seen %Z and %z used together in a format string. Have you tried %d/%m/%Y %H:%M %Z?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lefelle
New Member
‎08-03-2016 07:15 AM

Yes, i have.
It doesn't work too.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 08:06 AM

That brings us back to my first question, which hasn't been answered.

Can the date format be changed?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lefelle
New Member
‎08-03-2016 08:11 AM

I can't change the date format in the file. 😞
This file is create by nother system and i'm not ability to change it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 08:14 AM

Then you may have to use SED within your props.conf file to change the field to a recognized format.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lefelle
New Member
‎08-03-2016 08:22 AM

how can do that ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2016 08:53 AM

In the props.conf stanza for your sourcetype put:

SEDCMD-timestamp=s/\d{2}\/\d{2}\/\d{4} \d{2}:\d{2} [A-Z]{3}\+\d{2}:\d{2}/\1\2\3/g

This should convert the timestamp into %m/%d/%Y %H:%S%Z format.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...