Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to configure timestamp extraction

clmiller
Engager
‎12-09-2011 11:39 AM

Am trying to index log entries there the time stamp information is at the starting of the first line of each log entry.
Sample timestamps from entries in a couple of types of associated log files are:
[7/17/10 4:24:53:269 CST] 00000048 SystemErr . . .
[10/5/11 11:55:08:992 PDT] 00000029 SystemOut . . .
[11/30/11 8:09:06:400 PST] 0000006e SystemOut . . .
[12/9/11 0:52:10:743 PST] 0000000a ResourceMgrIm . . .
2/17/10 02:38:11 AM CST [INFO] [...Agent] . . .
10/28/10 08:29:01 PM CDT [ERROR] [...Agent.Properties] . . .
12/09/10 10:08:33 PM CST [WARN] [...Agent] . . .
11/30/11 08:11:08 PM PST [INFO] [...Agent] . . .

This is obviously ambiguous in form for date ( since 11/9/10 fould be year 2010 or 2011.
Have tried the following but doesn't work with recent entries at least those form of 1st 4 from today. Splunk doesnt recognize the time stamp. Am suspecting an issue with the day portion since only a single digit. Can't seem to find if there is a day designator form that allows for a single digit.

In Applications's props.conf file:
[host::sample]
TIME_PREFIX = ^.
MAX_TIMESTAMP_LOOKAHEAD = 22
TIME_FORMAT = %y/%d/%m %k%M%S

Anyone have some good suggestions?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-15-2011 03:50 AM

See my answer to a similar question

http://splunk-base.splunk.com/answers/36207/how-do-i-configure-timestamp-extraction-where-day-may-be...

hth,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...