Solved: props.conf date and time formatting

khhenderson · ‎01-22-2014

I have log files that I would like to get into Splunk but I'm having trouble due to the way the date and time are formatted in the log file. In the past I have add a few lines to the props.conf on the splunk server.

Here is what I have in the props.conf

[source::/pathtofile/logserver_output/LogServer.*]
TIME_PREFIX = ^L
TIME_FORMAT = %y_%m_%d.%H_%M_%S

Here is a line from the log file.

L2014_01_22.09_35_17{CONVERTED=TRUE,ENE_TIME=0.003,RECORD_NAMES=Record54B43821-6D76-40B6-B5AD-9794DCF445F0,SESSION_ID=acca42e8-3c0f-4b9a-b252-a587dc4de3fb,TYPE=R}

It should be "L" "year" "month" "day" "." "hour" "minute" "second".

Did I miss something? I am using a test index but it doesn't seem to be reading the date and time correctly.

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

View solution in original post

richgalloway · ‎01-22-2014

Four-digit years are represented by '%Y'.

---
If this reply helps you, Karma would be appreciated.

aelliott · ‎01-22-2014

nope, those looks good, here is a reference : http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

khhenderson · ‎01-22-2014

What about month and minute, should they both be capital?

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

khhenderson · ‎01-22-2014

That did the trick, I knew it was something simple. Thanks

props.conf date and time formatting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

How Edge Processor's Durable Queue Works

Join the Conversation