Getting Data In

Time Format Help

rlaan
Path Finder

I am looking for help figuring out how to represent the following timestamp as a prefix for parsing time/start of events. this is contained in some logs i was provided today and am having difficulty figuring out how to get pas the "o'clock" contained within the log files. these are new logs that were indexed under an existing sourcetype that already had a working/existing timestamp format.

Old format: (majority of logs)
[2021-02-23T14:37:26.659-07:00]

New/abnormal format: (some weird new stuff) 
<23-Feb-2021 2:21:41 o'clock PM MST>

I am trying to figure out how best to capture the new format logs from the existing sourcetype and redirect them into the proper timestamp configuration or a new sourcetype of their own.

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @rlaan,

You can use below time format;

TIME_PREFIX = <
TIME_FORMAT = %d-%b-%Y %I:%M:%S o'clock %p %Z
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @rlaan,

You can use below time format;

TIME_PREFIX = <
TIME_FORMAT = %d-%b-%Y %I:%M:%S o'clock %p %Z
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...