Re: Timestamp configuration does not pull the corr...

iherre312 · ‎09-24-2015

I am importing cisco logs that have two timestamps with different formats.
Unfortunately, configuration set in props.conf for the app is still not pulling extracting the correct date.
Here is a sample:

<splunk system timestamp> Aug 23 12:00:00 xxxx.org: <second timestamp> 2016 Sept 28 12:34:53 EDT

[test]
TIME_PREFIX = org :\s*
#TIME_FORMAT = %Y %b %d %H:%M:%S %Z
MAX_TIMESTAMP_LOOKAHEAD = 75

alacercogitatus · ‎09-24-2015

It seems to me, you do not need the TIME_PREFIX option, since the format of the different fields is, well, different.

You do want to use the TIME_FORMAT setting, which does look correct.

The TIME_PREFIX listed in your config would not work, due to the space in between the org and the :. You can correct the TIME_PREFIX , and your input should start working.

alacercogitatus · ‎09-30-2015

Please accept either answer if we have answered your question. Thanks!

lguinn2 · ‎09-24-2015

Looks like there is a space between "org" and ":" in your props.conf TIME_PREFIX, but not in your data.

Timestamp configuration does not pull the correct timestamp

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation