Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time extraction using props.conf

Glom
New Member
‎10-09-2024 05:38 AM

We have some events coming in to Splunk that show as following:

time="09/10/2024 11:41:15"
URL="[Redacted String]"
Name="[Redacted String]"
Issuer="[Redacted String]"
Issued="27/10/2023 13:27:22"
Expires="26/10/2025 12:27:22"

Splunk is using ingest time instead of the time field. In props.conf for this sourcetype I have the following:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time=
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

However the time isn't being extracted properly, what do I need to change / add?

Thanks.

Labels (1)
Labels
0 Karma
Reply

dural_yyz
Motivator
‎10-09-2024 06:57 AM

TIME_PREFIX is a regex match and they can get touchy sometimes.  I would force the = and the " to be escaped so: TIME_PREFIX = time\=\".  Then I would take advantage of the MAX_TIMESTAMP_LOOKAHEAD, although it should be inherited from the default I always like to put it in my app when I have multiple timestamps in the raw data.

0 Karma
Reply

Glom
New Member
‎10-09-2024 07:08 AM

Hi I modified the props.conf as recommended and no change, time is still being taken as ingest time:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time\=\"
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
MAX_TIMESTAMP_LOOKAHEAD = 27
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

Any other ideas?

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-09-2024 07:30 AM

Please try to remove the " (double quotes) from the TIME_FORMAT.

TIME_FORMAT=%d/%m/%Y %H:%M:%S

 

If this isn't working checkout the btool on this source/host/sourcetype for any DATETIME_CONFIG setting on your props.conf.

Hope this helps.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...