Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time extraction using props.conf

Glom
New Member
‎10-09-2024 05:38 AM

We have some events coming in to Splunk that show as following:

time="09/10/2024 11:41:15"
URL="[Redacted String]"
Name="[Redacted String]"
Issuer="[Redacted String]"
Issued="27/10/2023 13:27:22"
Expires="26/10/2025 12:27:22"

Splunk is using ingest time instead of the time field. In props.conf for this sourcetype I have the following:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time=
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

However the time isn't being extracted properly, what do I need to change / add?

Thanks.

Labels (1)
Labels
0 Karma
Reply

dural_yyz
Motivator
‎10-09-2024 06:57 AM

TIME_PREFIX is a regex match and they can get touchy sometimes.  I would force the = and the " to be escaped so: TIME_PREFIX = time\=\".  Then I would take advantage of the MAX_TIMESTAMP_LOOKAHEAD, although it should be inherited from the default I always like to put it in my app when I have multiple timestamps in the raw data.

0 Karma
Reply

Glom
New Member
‎10-09-2024 07:08 AM

Hi I modified the props.conf as recommended and no change, time is still being taken as ingest time:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time\=\"
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
MAX_TIMESTAMP_LOOKAHEAD = 27
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

Any other ideas?

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-09-2024 07:30 AM

Please try to remove the " (double quotes) from the TIME_FORMAT.

TIME_FORMAT=%d/%m/%Y %H:%M:%S

 

If this isn't working checkout the btool on this source/host/sourcetype for any DATETIME_CONFIG setting on your props.conf.

Hope this helps.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...