Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

french timestamp not understood

pfoucher
Engager
‎11-18-2014 06:33 AM

Hello,
I have a log where the timestamp is written with a abbreviated name for the month. My problem is that the abreviation is a french one and splunk does not understand it.
Example : (déc for december)
01-déc-10|15:28:16.0| xxxx
01-déc-10|15:59:38.3| yyy
As a consequence, all the lines are appended into a single event.
I tried to modify the file datetime.xml, but it didn't work.
Can someone help me ?
Thank you

Tags (1)
Reply

raz_gp
Explorer
‎12-22-2023 01:14 AM

having the same issue for weekdays and month dates. 
Is this something that will happen or we need to fix it ourselves creatively ?


mer. 13 déc. 2023 23:31:20 CET file_hash=96def1...
mar. 19 déc. 2023 22:06:55 CET user=x ... 
mar. 19 déc. 2023 09:16:13 CET user=y ...

0 Karma
Reply

gfuente
Motivator
‎11-21-2014 06:52 AM

Hello

This is officially not supported:

Note: Splunk Enterprise does not currently recognize non-English month names in timestamps. If you have an app that writes non-English month names to log files, reconfigure the app to use numerical months, if possible.

From: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Regards

Reply

lmyrefelt
Builder
‎11-18-2014 07:24 AM

The following should work;

in props.conf

["your-sourcetype"]
DATETIME_CONFIG = ("path")/etc/apps/"app-name"/"path"/datetime.xml

inside datetime.xml, under lithmonth / _litmonth

dec|déc

... Well to be honest .. i have not tried using charachters like åæøø yet .. but ...

restart of course

here comes some additional good information;

http://blogs.splunk.com/2014/04/23/its-that-time-again/
http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

0 Karma
Reply

lmyrefelt
Builder
‎11-21-2014 06:28 AM

Might be something for an enchantment request? Or the support to help u with ?

Either way .. it should be "best practies" to keep the goods in english 😉 and no puny åæøèé whatever .. makes live easier

0 Karma
Reply

pfoucher
Engager
‎11-20-2014 08:54 AM

I tried to modify the datetime.xml file as with your example, but it didn't work. Splunk does not recognize the "é" character, and displays \xE9 instead. This character belongs to UTF-8, it should be recognized, isn't it ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...