Getting Data In

events with future timestamp

Path Finder

Hello

this is my event:

Jun 19 12:31:44 : Info:copyconfig.cpp:319: copyConfig: copy configuration to /tmp/t5871.cfg

this is the source:

s3://ssyssplunk/AMER/FDM/F123/D/D02/2019-05-31T13:17:14.002Z1.91.0.1921.85.0.02.0.5608.0/75fbcf50-a6a4-4520-aa58-f63498a9c265System
Log

this is my sourcetype configuration :

[fdm_f123_systemLog]
BREAK_ONLY_BEFORE = ^\w\s\d+\s\d{2}:\d{2}:\d{2}
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 15
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %b  %d %H:%M:%S
TIME_PREFIX = ^
TRUNCATE = 0
category = Custom
disabled = false
pulldown_type = 1

and the timestamp for this event (and many others) looks like :

2019-06-07T12:41:08.000+00:00

how come i got future date and also not the correct one ?

0 Karma
1 Solution

Path Finder

Hi,

You should try

TIME_FORMAT = %b %e %H:%M:%S

instead of

TIME_FORMAT = %b  %d %H:%M:%S

It seems you have an additional space between %b and %d too, which probably does not help...

View solution in original post

0 Karma

Ultra Champion

It seems that you have the Zule Z there ; - 2019-05-31T13:17:14.002Z

A bit about it at - What is a trailing Z in a time stamp?

0 Karma

Path Finder

Hi,

You should try

TIME_FORMAT = %b %e %H:%M:%S

instead of

TIME_FORMAT = %b  %d %H:%M:%S

It seems you have an additional space between %b and %d too, which probably does not help...

View solution in original post

0 Karma