Timestamp Minute and Second need to have a leading...

cmak · ‎03-21-2013

I have the following line in props.conf

TIME_FORMAT = %m/%d/%Y %H:%M:%S

I have the following timestamp:

"2/23/2013 9:21:21"

Splunk can recognize that. However, without the leading 0 in minutes or seconds (if value is less than 10), Splunk cannot recognize the timestamp.

"2/23/2013 9:1:01"
"2/23/2013 9:01:1"

How can this be fixed?

kristian_kolb · ‎03-22-2013

Very good idea indeed. If possible (or required) you could/should also add subseconds and TZ.

/k

cmak · ‎03-22-2013

I ended up simply changing my timestamp so that it has 2 digits for minutes and seconds

martin_mueller · ‎03-21-2013

You can give %#M and %#S a try.

cmak · ‎03-21-2013

When I have "2/23/2013 9:1:01", it thinks it is "2/23/2013 1:01:00" and skips the hour.

All other cases that have 1 digit as M or S will simply use index time as the event time stamp

martin_mueller · ‎03-21-2013

For me even %m/%d/%Y %H:%M:%S works well with all these timestamps:

2/23/2013 9:1:1
2/23/2013 9:01:1
2/23/2013 9:1:01
2/23/2013 9:01:01

cmak · ‎03-21-2013

TIME_FORMAT = %m/%d/%Y %k:%#M:%#S

This still seems to need the leading zero

kristian_kolb · ‎03-21-2013

Try with %k or %l instead of %H (depending on whether you have 0-24 or 0-12 for the hour. Since there is no AM/PM in your timestamp, I'd guess that you have a 24-hour clock.

See http://www.strftime.net

Hope this helps,

Kristian

cmak · ‎03-21-2013

Thanks for the info about %k

kristian_kolb · ‎03-21-2013

oops, just saw that you had the same problem for minutes and seconds... hmm... mm...mmm....

Timestamp Minute and Second need to have a leading 0 for Splunk to recognize

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!