Solved: Re: Splunk timeformat issue - Page 2

uagraw01 · ‎07-14-2024

Hello Splunkers!!

I have a below event and I want to parse. But the event is not parsing with time format in Splunk. Please help me to get it fix .

TIME_FORMAT :

%dT%H:%M:%S.%3QZ

TIME_PREFIX :

\<eqtext\:EventTime\>

I have used the above setting but nothings works. StillI can see isse with indexed and event time. Please help me to get it fix.

Below are the raw events:

<eqtext:EquipmentEvent xmlns:eqtext="http:///FM/EqtEvent/EqtEventExtTypes/V1/1/5" xmlns:sbt="http://FM/Common/Services/ServicesBaseTypes/V1/8/4" xmlns:eqtexo="http://FM/EqtEvent/EqtEventExtOut/V1/1/5"><eqtext:ID><eqtext:Location><eqtext:PhysicalLocation><AreaID>7053</AreaID><ZoneID>33</ZoneID><EquipmentID>25</EquipmentID><ElementID>0</ElementID></eqtext:PhysicalLocation></eqtext:Location><eqtext:Description> Welder cold</eqtext:Description><eqtext:MIS_Address>6.2</eqtext:MIS_Address></eqtext:ID><eqtext:Detail><State>CAME_IN</State><eqtext:EventTime>2024-07-13T16:21:31.287Z</eqtext:EventTime><eqtext:MsgNr>7751154552301783480</eqtext:MsgNr><Severity>INFO</Severity><eqtext:OperatorID>WALVAU-SCADA-1</eqtext:OperatorID><ErrorType>TECHNICAL</ErrorType></eqtext:Detail></eqtext:EquipmentEvent></eqtexo:EquipmentEventReport>

PickleRick · ‎07-14-2024

You might want to set it to a bit higher value. The timestamp is relatively late in the event and the part before the timestamp contains dynamic data which can be of varying length so you have to account for that.

Bonus question - you're not using INDEXED_EXTRACTIONS, are you?

View solution in original post

uagraw01 · ‎07-14-2024

@inventsekar I have added these three corrected settings in props.conf. I am waiting for the real event to come in, if this works then the job will be done.

LINE_BREAKER = <\/eqtext:EquipmentEvent>()
TIME_PREFIX = ((?<!ReceiverFmInstanceName>))<eqtext:EventTime>
TZ = America/Glace_Bay

uagraw01 · ‎07-14-2024

@inventsekar I have updated this "TIME_FORMAT = %FT%H:%M:%S.%3Q%Z" other is in #

I have already restarted the Splunkd services.

inventsekar · ‎07-14-2024

Hi @uagraw01

|makeresults | eval logs="2024-07-13T16:21:31.287Z" 
| eval time=strptime(logs,"%Y-%m-%dT%H:%M:%S.%Q")
| eval date = strftime(time,"%Y-%m-%d %H:%M:%S") | table logs time date

... pls check "%Y-%m-%dT%H:%M:%S.%Q"

yuanliu · ‎07-14-2024

Should be "%FT%H:%M:%S.%3Q%Z". You can always test your time format with an emulation, like

| makeresults format=csv data="eqtext:EventTime
2024-07-13T16:21:31.287Z"
| eval _time = strptime('eqtext:EventTime', "%FT%H:%M:%S.%3Q%Z")

uagraw01 · ‎07-14-2024

@yuanliu @inventsekar When I ingested to Splunk both the times varies ( index and event time). Please see below screenshot.

inventsekar · ‎07-14-2024

Hi @uagraw01 pls show us your props.conf

(if you dont know where to find the props....

are you using HF or not... if u use HF, then props.conf should be there

if you dont use HF, then, you should have props.conf for this should be in indexer)

Splunk timeformat issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation