Solved: Timestamp shown incorrectly in search result, how ...

rune_hellem · ‎12-12-2013

Running Splunk 6.0 (build 182037)

Trying to parse the SystemOut.log-file from WebSphere. Example log entry

[12.12.13 13:42:36:130 CET] 00000cbd NodeSyncTask A ADMS0003I: The configuration synchronization completed successfully.

But, Splunk formats the timestamp like this - a year behind.

2012-12-13T13:42:36.130+01:00

I have tried without success to apply the following in props.conf

[websphere:system:out] 
REPORT-thread = extract-sysout
LOOKUP-waseventtype = waseventtype waseventtyperaw OUTPUTNEW waseventtype
# [11/12/13 18:45:24:007 CET]
TIME_PREFIX = \[
TIME_FORMAT = %d/%m/%y %H:%M:%S
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
MAX_EVENTS = 1024

But it does not help (not having the time_prefix and time_format provides the same result.)

rune_hellem · ‎12-12-2013

I am not really sure what did the trick, but I do somehow think it has something to do with Windows (all servers are Windows-servers in our environment). In the inputs.conf file I had defined the paths to the SystemOut.log files like this

[monitor://E:\logs\...\SystemOut.log] index = was_index sourcetype = websphere:system:out

For some reason Splunk seemed to struggle with that definition, finding just some of the files. After changing it to

[monitor://E:\logs\*Member*\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

[monitor://E:\logs\nodeagent\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

[monitor://E:\logs\dmgr\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

it started to index it as I would expect. So I must admit that I am not really sure what I did wrong initially, but the above did the trick for me at least.

View solution in original post

rune_hellem · ‎12-12-2013

I am not really sure what did the trick, but I do somehow think it has something to do with Windows (all servers are Windows-servers in our environment). In the inputs.conf file I had defined the paths to the SystemOut.log files like this

[monitor://E:\logs\...\SystemOut.log] index = was_index sourcetype = websphere:system:out

For some reason Splunk seemed to struggle with that definition, finding just some of the files. After changing it to

[monitor://E:\logs\*Member*\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

[monitor://E:\logs\nodeagent\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

[monitor://E:\logs\dmgr\SystemOut.log]
index = was_index
sourcetype = websphere:system:out

it started to index it as I would expect. So I must admit that I am not really sure what I did wrong initially, but the above did the trick for me at least.

rune_hellem · ‎12-12-2013

Argh! Captcha hates me, so instead of updating I comment my own question: Did change the formatting of TIME_FORMAT as pointed out by lukejadamec but that did not solve my problem. Strange thing is that I do not find any errors in the Splunk logs. Need to recheck my indexes.

lukejadamec · ‎12-12-2013

Try changing your timestamp format to match the data:

TIME_FORMAT = %d.%m.%y %H:%M:%S:%N %Z

lukejadamec · ‎12-12-2013

You might as well include the timezone also:)
Have you tried the time_format without the time_prefix?

rune_hellem · ‎12-12-2013

I should have seen that one, updated timeformat - but still no help. Suspect that I have some other issue which I am not able to see (yet) in the Splunk logs.

Timestamp shown incorrectly in search result, how to provide correct format?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!