Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Props.conf and time_format, what am I missing

howyagoin
Contributor
‎08-25-2011 07:13 PM

I'm missing something, not sure what...I've got some GMT timestamped logs that Splunk didn't magically guess correctly for timezone/date format, so I figured I'd give it a helping hand in props.conf.

My events look like this:

20110825 000702531+0000 hostname01 daemon 13020 1594146607 1594146607 Note;FoobleWibble(50/6) user=name@domain.com:cmd=run :fromhost=1.2.3.4

And I've added the following into props.conf for the directory where the files are located:

[source::/import/logs/files]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %Y%m%d %H%M%S%3N%z

GNU date seems to interpret that correctly, and from the reading I've seen on strptime on linux, this should be right, but it just doesn't seem to get it.

Do I really need a transforms.conf entry for this? Or time_prefix? Since the timestamp is at the start of the line, I was thinking the time_format would be enough.

Am I missing something obvious?

Tags (2)
Reply

woodcock
Esteemed Legend
‎05-29-2015 06:23 AM

First of all, I would not use source if at all possible; I have always used sourcetype for this. Secondly, your timestamps are 22 characters long, not 25. Try this:

[MySourceType]
MAX_TIMESTAMP_LOOKAHEAD = 22
TIME_FORMAT = %Y%m%d %H%M%S%3N%z

Also, you need to make sure that this is deployed to your indexers, which is where timestamping occurs, not to your forwarder.

0 Karma
Reply

howyagoin
Contributor
‎09-07-2011 09:00 PM

Yeah:

1   9/8/11 1:35:33.000 PM   20110907 185959292+0000 blah blah 22415 691265462 691265462 Note;blah2
2   9/8/11 1:35:33.000 PM   20110907 185957218+0000 blah blah 22415 691265200 691265200 Note;blah123
3   9/8/11 1:35:33.000 PM   20110907 185956595+0000 blah blah 22415 691265275 691265275 Note;blah123123

From a timechart point of view, everything is timestamped at the moment of reading the file.

Log errors:
AggregatorMiningProcessor - Too many events (400K) with the same timestamp: incrementing timestamps 4 seconds into the future to insure retrievability

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-28-2011 10:31 PM

I would assume that MAX_TIMESTAMP_LOOKAHEAD = 22 should be enough. How is Splunk getting the date wrong, exactly? Could you show us an example?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...