I have log files that I would like to get into Splunk but I'm having trouble due to the way the date and time are formatted in the log file. In the past I have add a few lines to the props.conf on the splunk server.
Here is what I have in the props.conf
[source::/pathtofile/logserver_output/LogServer.*]
TIME_PREFIX = ^L
TIME_FORMAT = %y_%m_%d.%H_%M_%S
Here is a line from the log file.
L2014_01_22.09_35_17{CONVERTED=TRUE,ENE_TIME=0.003,RECORD_NAMES=Record54B43821-6D76-40B6-B5AD-9794DCF445F0,SESSION_ID=acca42e8-3c0f-4b9a-b252-a587dc4de3fb,TYPE=R}
It should be "L" "year" "month" "day" "." "hour" "minute" "second".
Did I miss something? I am using a test index but it doesn't seem to be reading the date and time correctly.
Four-digit years are represented by '%Y'
.
nope, those looks good, here is a reference : http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables
What about month and minute, should they both be capital?
I believe you need a capital y: %Y
That did the trick, I knew it was something simple. Thanks