Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- splunk extract incorrect time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,everyone.
My raw log is like this:
2017-05-22 01:00:01 dst:100.100.100.2 src:118.32.120.110 port:60046 count:6
2017-05-22 01:00:01 dst:100.100.100.2 src:118.32.120.91 port:38026 count:2
2017-05-22 01:00:01 dst:100.100.100.2 src:118.43.104.16 port:33967 count:2
2017-05-22 01:00:01 dst:100.100.100.2 src:119.1.109.17 port:43973 count:3
And the count of raw log is 409767.
All of the time is 2017/05/22 01:00:01 in raw log.
But splunk extract timestamp is 2017/05/22 01:00:01 2017/05/22 01:00:02 2017/05/22 01:00:03 2017/05/22 01:00:04 2017/05/22 01:00:05
I use this search comand "sourcetype=test |stats count by _time",and got this result.
_time count
2017/05/22 01:00:01 100000
2017/05/22 01:00:02 100000
2017/05/22 01:00:03 100000
2017/05/22 01:00:04 100000
2017/05/22 01:00:05 9767
I have set TIME_FORMAT=%Y-%m-%d %H:%M:%S in props.conf,but doesn`t work.
I also use this "sourcetype=test | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S") "
The timestamp return aN/NaN/NaN NaN:NaN:NaN.000
Anyone know how to solve this issue?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time format logic should Work. Just tested as below
|makeresults | eval _time="2017-05-22 01:00:01" | eval myEpoch=strptime(_time,"%Y-%m-%d %H:%M:%S")| eval reConvertTime=strftime(myEpoch,"%FT%T")
In your props Try putting and restarting Splunk
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD=32
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Props you have defined, is it under search or your custom app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved. Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time format logic should Work. Just tested as below
|makeresults | eval _time="2017-05-22 01:00:01" | eval myEpoch=strptime(_time,"%Y-%m-%d %H:%M:%S")| eval reConvertTime=strftime(myEpoch,"%FT%T")
In your props Try putting and restarting Splunk
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD=32
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still doesn`t work, it should be splunk limit.
https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-sec...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
