Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

configuring TIME_FORMAT

kerne1
New Member
‎08-07-2012 05:01 AM

Hello, our logs have ISO 8601 date format with shorted year (YY instead of YYYY): "12-08-06 04:42:10". It is 6 of August 2012 but Splunk think it is 12 of August 2006.

I've added to props.conf:
TIME_FORMAT = %y-%m-%d %H:%M:%S
but this didn't change anything.

the full config:



    [source::/var/log/access*]

    #12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443" 

    EXTRACT-access = ^(?P<datestamp>[^ ]+) (?P<timestamp>[^ ]+) "(?P<auth_user>[^|])|(?P<profile>[^"])" (?P<src_ip>[^ ]+) "(?P<method>[A-Z]+) (?P<url>[^"]+)"

    TIME_FORMAT = %y-%m-%d %H:%M:%S

any idea how to configure?

thanks

Tags (3)
0 Karma
Reply

pmocek
Explorer
‎04-02-2014 02:55 PM

Your logs are not using ISO 8601. It specifies four-digit years. There is no provision in it for a two-digit year.

0 Karma
Reply

hetzere
New Member
‎05-10-2016 07:55 AM

I downvoted this post because op stated the exception, and the comment does nothing to answer the question.

0 Karma
Reply

blebit
Path Finder
‎01-24-2014 12:53 AM

hello, can we push this from Deployment Monitor ???

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎08-07-2012 07:01 AM

MAX_TIMESTAMP_LOOKAHEAD=20
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %H:%M:%S
TIME_PREFIX=^

0 Karma
Reply

kerne1
New Member
‎08-07-2012 06:53 AM

sorry for misleading, the html tags come from Markdown and doesn't belong to the config.

this ist the log line:
12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443"
this is the props.conf (I've removed the EXTRACT expression for clarity):

[source::/var/log/access*]
TIME_FORMAT = %y-%m-%d %H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...