Time extraction using props.conf

Glom · ‎10-09-2024

We have some events coming in to Splunk that show as following:

time="09/10/2024 11:41:15"
URL="[Redacted String]"
Name="[Redacted String]"
Issuer="[Redacted String]"
Issued="27/10/2023 13:27:22"
Expires="26/10/2025 12:27:22"

Splunk is using ingest time instead of the time field. In props.conf for this sourcetype I have the following:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time=
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

However the time isn't being extracted properly, what do I need to change / add?

Thanks.

dural_yyz · ‎10-09-2024

TIME_PREFIX is a regex match and they can get touchy sometimes. I would force the = and the " to be escaped so: TIME_PREFIX = time\=\". Then I would take advantage of the MAX_TIMESTAMP_LOOKAHEAD, although it should be inherited from the default I always like to put it in my app when I have multiple timestamps in the raw data.

Glom · ‎10-09-2024

Hi I modified the props.conf as recommended and no change, time is still being taken as ingest time:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time\=\"
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
MAX_TIMESTAMP_LOOKAHEAD = 27
CHARSET = UTF-8
KV_MODE = none
DISABLED = false

Any other ideas?

sainag_splunk · ‎10-09-2024

Please try to remove the " (double quotes) from the TIME_FORMAT.

TIME_FORMAT=%d/%m/%Y %H:%M:%S

If this isn't working checkout the btool on this source/host/sourcetype for any DATETIME_CONFIG setting on your props.conf.

Hope this helps.

Time extraction using props.conf

props.conf

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...