Getting Data In

props.conf date and time formatting

khhenderson
Path Finder

I have log files that I would like to get into Splunk but I'm having trouble due to the way the date and time are formatted in the log file. In the past I have add a few lines to the props.conf on the splunk server.

Here is what I have in the props.conf

[source::/pathtofile/logserver_output/LogServer.*]
TIME_PREFIX = ^L
TIME_FORMAT = %y_%m_%d.%H_%M_%S

Here is a line from the log file.

L2014_01_22.09_35_17{CONVERTED=TRUE,ENE_TIME=0.003,RECORD_NAMES=Record54B43821-6D76-40B6-B5AD-9794DCF445F0,SESSION_ID=acca42e8-3c0f-4b9a-b252-a587dc4de3fb,TYPE=R}

It should be "L" "year" "month" "day" "." "hour" "minute" "second".

Did I miss something? I am using a test index but it doesn't seem to be reading the date and time correctly.

Tags (2)
1 Solution

aelliott
Motivator

I believe you need a capital y: %Y

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Four-digit years are represented by '%Y'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aelliott
Motivator
0 Karma

khhenderson
Path Finder

What about month and minute, should they both be capital?

0 Karma

aelliott
Motivator

I believe you need a capital y: %Y

khhenderson
Path Finder

That did the trick, I knew it was something simple. Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...