Solved: Timestamp parsed incorrectly

timgtallongs · ‎02-17-2014

Hi all

I have the following log:

09-feb-14 10:54:06.501 [w3wp.1320] {VproofApi}proofApi.GetOpenSessionscalled.

Splunk parses this date as 2009-02-14 (year-month-day)

Because i want the 09 as my day i tried using following time_format:

%d-%m-%Y %H:%M:%S

This gives an error

Thanks in advance

kristian_kolb · ‎02-17-2014

Yes, %m is the numeric representation of a month, i.e. 01, 02, 03 etc. What you want is the variable for the abbreviated alphabetic version, which is %b. Also, you might want to change the %Y to %y, since you only represent the year with two digits. Then you can add the milliseconds as well.

TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N

http://www.strftime.net

/K

View solution in original post

kristian_kolb · ‎02-17-2014

Yes, %m is the numeric representation of a month, i.e. 01, 02, 03 etc. What you want is the variable for the abbreviated alphabetic version, which is %b. Also, you might want to change the %Y to %y, since you only represent the year with two digits. Then you can add the milliseconds as well.

TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N

http://www.strftime.net

/K

timgtallongs · ‎02-17-2014

Worked like a charm, great site also. Thanks

Timestamp parsed incorrectly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation