Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Time format having pipe "|"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
I am having trouble recognizing time format of %Y%m%d|%H%M%S (e.g. |20130813|235858 )
I have tried using the following settings in props.conf
TIME_PREFIX = \|
TIME_FORMAT = %Y%m%d\|%H%M%S
and
TIME_PREFIX = \|
TIME_FORMAT = %Y%m%d|%H%M%S
both not working.
Can anyone help me out here please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The docs on TIME_PREFIX can give some explanation;
TIME_PREFIX = <regular expression> in the text following the end of the
* If set, splunk scans the event text for a match for this regex in event text before attempting
to extract a timestamp.
* The timestamping algorithm only looks for a timestamp
first regex match..
* For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the
text abc123 will be used for timestamp extraction
Perhaps something like this could work;
TIME_PREFIX = \|(?=\d{8})
Haven't tried it in Splunk, but it works in the excellent online regex tester found at
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The docs on TIME_PREFIX can give some explanation;
TIME_PREFIX = <regular expression> in the text following the end of the
* If set, splunk scans the event text for a match for this regex in event text before attempting
to extract a timestamp.
* The timestamping algorithm only looks for a timestamp
first regex match..
* For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the
text abc123 will be used for timestamp extraction
Perhaps something like this could work;
TIME_PREFIX = \|(?=\d{8})
Haven't tried it in Splunk, but it works in the excellent online regex tester found at
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes working very well.
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d|%H%M%S
TIME_PREFIX=\|(?=\d{8})
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for looking into this
Below are some events
|CALLCONTROL|VMSIVR2|107|20130814|130224|130230|I
|CALLCONTROL|VMSIVR2|183|20130814|130224|130230|I
|CALLCONTROL|VMSIVR2|99|20130814|130124|130230|I
|PROVI|APS2|20130814|130240|
|PROVI|APS2|20130814|130253|
|SMSC|VMSIVR2||20130814|125501|
|SMSC|VMSIVR2||20130814|125511
|20130814|125959|202|12342|
|20130814|134950|203|12451|
Please note that the timestamp is moving here and there since this log is getting combined from various sources.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are there any other pipes before the one preceding the timestamp? Please post a few sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the log starts with the time field? Could you paste a little more of the log?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
