Solved: props.conf date and time formatting

khhenderson · ‎01-22-2014

I have log files that I would like to get into Splunk but I'm having trouble due to the way the date and time are formatted in the log file. In the past I have add a few lines to the props.conf on the splunk server.

Here is what I have in the props.conf

[source::/pathtofile/logserver_output/LogServer.*]
TIME_PREFIX = ^L
TIME_FORMAT = %y_%m_%d.%H_%M_%S

Here is a line from the log file.

L2014_01_22.09_35_17{CONVERTED=TRUE,ENE_TIME=0.003,RECORD_NAMES=Record54B43821-6D76-40B6-B5AD-9794DCF445F0,SESSION_ID=acca42e8-3c0f-4b9a-b252-a587dc4de3fb,TYPE=R}

It should be "L" "year" "month" "day" "." "hour" "minute" "second".

Did I miss something? I am using a test index but it doesn't seem to be reading the date and time correctly.

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

View solution in original post

richgalloway · ‎01-22-2014

Four-digit years are represented by '%Y'.

---
If this reply helps you, Karma would be appreciated.

aelliott · ‎01-22-2014

nope, those looks good, here is a reference : http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

khhenderson · ‎01-22-2014

What about month and minute, should they both be capital?

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

khhenderson · ‎01-22-2014

That did the trick, I knew it was something simple. Thanks

props.conf date and time formatting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?