Getting Data In

Timestamp help

Communicator

Hi Everyone,

This is probably really simple and I'm just not seeing it, but I'm having trouble pulling a timestamp from my data. Here is an example line of my data:

"123","L123ACM0004","17MAR2014:18:26:50","17MAR2014:18:26:39","17MAR2014:18:26:44","9105791332"

I'd like for the timestamp to be March 17th, 2014, at 18:26:50. I'm able to get the time, but not the date. This files is a .csv file with a header that in the same format of the data (i.e. "columnheader1","columnheader2"

This is my props.conf right now:

FIELDDELIMITER = ","

HEADER
MODE = firstline

MAXTIMESTAMPLOOKAHEAD=40

NOBINARYCHECK=1

TIMEFORMAT=%d%B%Y%H:%M:%S

TZ=America/Chicago

CHECK
FORHEADER=true

KV
MODE=none

SHOULDLINEMERGE=false

pulldown
type=true

Thanks!

0 Karma

Champion

Hello Alex,
You are missing : in the time_format

TIME_FORMAT=%d%b%Y:%H:%M:%S
TIME_PREFIX=\d{4}","

Update: it should have been %b rather than %B

Splunk is getting confused with the times which one actually it should take. So TIME_PREFIX needs to be unique

Thanks

0 Karma

Champion

Alex i have just made some changes could you try that out?

0 Karma

Communicator

TIME_FORMAT=%d%B%Y:%H:%M:%S

sorry typo in my answer there, any other ideas?

0 Karma

Communicator

Thanks of the help, I'm sure that needed to be fixed, however that didn't seem to help. I must still be missing something.

I've got TIME_FORMAT"%d%B%Y:%H:%M:%S

0 Karma