Solved: props.conf date and time formatting

khhenderson · ‎01-22-2014

I have log files that I would like to get into Splunk but I'm having trouble due to the way the date and time are formatted in the log file. In the past I have add a few lines to the props.conf on the splunk server.

Here is what I have in the props.conf

[source::/pathtofile/logserver_output/LogServer.*]
TIME_PREFIX = ^L
TIME_FORMAT = %y_%m_%d.%H_%M_%S

Here is a line from the log file.

L2014_01_22.09_35_17{CONVERTED=TRUE,ENE_TIME=0.003,RECORD_NAMES=Record54B43821-6D76-40B6-B5AD-9794DCF445F0,SESSION_ID=acca42e8-3c0f-4b9a-b252-a587dc4de3fb,TYPE=R}

It should be "L" "year" "month" "day" "." "hour" "minute" "second".

Did I miss something? I am using a test index but it doesn't seem to be reading the date and time correctly.

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

View solution in original post

richgalloway · ‎01-22-2014

Four-digit years are represented by '%Y'.

---
If this reply helps you, Karma would be appreciated.

aelliott · ‎01-22-2014

nope, those looks good, here is a reference : http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

khhenderson · ‎01-22-2014

What about month and minute, should they both be capital?

aelliott · ‎01-22-2014

I believe you need a capital y: %Y

khhenderson · ‎01-22-2014

That did the trick, I knew it was something simple. Thanks

props.conf date and time formatting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!