Re: configuring TIME_FORMAT

kerne1 · ‎08-07-2012

Hello, our logs have ISO 8601 date format with shorted year (YY instead of YYYY): "12-08-06 04:42:10". It is 6 of August 2012 but Splunk think it is 12 of August 2006.

I've added to props.conf:
TIME_FORMAT = %y-%m-%d %H:%M:%S
but this didn't change anything.

the full config:



    [source::/var/log/access*]

    #12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443" 

    EXTRACT-access = ^(?P<datestamp>[^ ]+) (?P<timestamp>[^ ]+) "(?P<auth_user>[^|])|(?P<profile>[^"])" (?P<src_ip>[^ ]+) "(?P<method>[A-Z]+) (?P<url>[^"]+)"

    TIME_FORMAT = %y-%m-%d %H:%M:%S

any idea how to configure?

thanks

pmocek · ‎04-02-2014

Your logs are not using ISO 8601. It specifies four-digit years. There is no provision in it for a two-digit year.

hetzere · ‎05-10-2016

I downvoted this post because op stated the exception, and the comment does nothing to answer the question.

blebit · ‎01-24-2014

hello, can we push this from Deployment Monitor ???

dmaislin_splunk · ‎08-07-2012

MAX_TIMESTAMP_LOOKAHEAD=20
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %H:%M:%S
TIME_PREFIX=^

kerne1 · ‎08-07-2012

sorry for misleading, the html tags come from Markdown and doesn't belong to the config.

this ist the log line:
12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443"
this is the props.conf (I've removed the EXTRACT expression for clarity):

[source::/var/log/access*]
TIME_FORMAT = %y-%m-%d %H:%M:%S

configuring TIME_FORMAT

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation