Solved: Timestamp parsing with separate Date and Time fiel...

tread_splunk · ‎01-22-2016

Hi there,

My event data has the following extract about 100chars in from the start of the event...

&ltdate_value&gt2015-08-30T00:00:00&lt/date_value&gt&lttime_value&gt23:58:52&lt/time_value&gt&ltagency&gtMCP&lt/agency&gt

I'm trying to get Splunk to construct the event timestamp value as 2015-08-30 23:58:52.

I've tried various forms of the following in PROPS.CONF...

TIME_FORMAT = YYYY-MM-DDT00:00:00&lt/date_value&gt<time_value>&lttime_value&gtHH:MM:SS

TIME_PREFIX = &ltdate_value&gt

Suggestions greatly appreciated.
Tony.

richgalloway · ‎01-22-2016

The TIME_FORMAT attribute must use strptime() metacharacters. Try this:

MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_PREFIX = <date_value>
TIME_FORMAT = %Y-%m-%DT00:00:00</date_value><time_value>%H:%M:%S

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-22-2016

The TIME_FORMAT attribute must use strptime() metacharacters. Try this:

MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_PREFIX = <date_value>
TIME_FORMAT = %Y-%m-%DT00:00:00</date_value><time_value>%H:%M:%S

---
If this reply helps you, Karma would be appreciated.

antlefebvre · ‎05-17-2016

I changed the %D to %d to make this work. Thanks @richgalloway

tread_splunk · ‎01-25-2016

Thanks @richgalloway. Spot on.

Timestamp parsing with separate Date and Time fields