Re: Timestamp help

AlexMcDuffMille · ‎05-09-2014

Hi Everyone,

This is probably really simple and I'm just not seeing it, but I'm having trouble pulling a timestamp from my data. Here is an example line of my data:

"123","L123ACM0004","17MAR2014:18:26:50","17MAR2014:18:26:39","17MAR2014:18:26:44","9105791332"

I'd like for the timestamp to be March 17th, 2014, at 18:26:50. I'm able to get the time, but not the date. This files is a .csv file with a header that in the same format of the data (i.e. "columnheader1","columnheader2"

This is my props.conf right now:

FIELD_DELIMITER = ","

HEADER_MODE = firstline

MAX_TIMESTAMP_LOOKAHEAD=40

NO_BINARY_CHECK=1

TIME_FORMAT=%d%B%Y%H:%M:%S

TZ=America/Chicago

CHECK_FOR_HEADER=true

KV_MODE=none

SHOULD_LINEMERGE=false

pulldown_type=true

Thanks!

linu1988 · ‎05-09-2014

Hello Alex,
You are missing : in the time_format

TIME_FORMAT=%d%b%Y:%H:%M:%S TIME_PREFIX=\d{4}","

Update: it should have been %b rather than %B

Splunk is getting confused with the times which one actually it should take. So TIME_PREFIX needs to be unique

Thanks

linu1988 · ‎05-09-2014

Alex i have just made some changes could you try that out?

AlexMcDuffMille · ‎05-09-2014

TIME_FORMAT=%d%B%Y:%H:%M:%S

sorry typo in my answer there, any other ideas?

AlexMcDuffMille · ‎05-09-2014

Thanks of the help, I'm sure that needed to be fixed, however that didn't seem to help. I must still be missing something.

I've got TIME_FORMAT"%d%B%Y:%H:%M:%S

Timestamp help

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk