Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp contain T between date and time

jayannah
Builder
‎06-16-2014 07:26 AM

Hi All

The timestamp is in the format T

Is there any configuration supported in SPlunk to automatically recognize and extract this timestamp to _time ?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 07:42 AM

Add following in your sourcetype configuration in props.conf.

[YourSourceType]
..Other stuffs..
...
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z

View solution in original post

Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-17-2014 04:02 AM

If you have multiple sources for the timestamp and you want a specific field to be use, then you will need to be explicit in the source configuration about which field(s) to use (props.conf?). It is not the format that matters, it is the "where". You can't rely on defaults. It all depends on how the analysis tree is implemented within Splunk, otherwise, and that you have no control over.

0 Karma
Reply
Solved! Jump to solution

jayannah
Builder
‎06-16-2014 10:39 PM

The _time is getting the correct value, but if I see it in data previews screen, it is selecting correct time from incorrect data 🙂

E.g:Sample log edited from actual.
2014-06-05T05:03:53-07:00 server8 monitor: "10.29.224.229" - [05/Jun/2014:05:03:53 -0700] "GET /login?userId=10099234081 HTTP/1.1" 200 87323"-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 0.543 "-/-" www.mywebsite.com

Here, in the preview screen, the _time is extracted from "05T05:03:53-07:00 server8 monitor: "10.29.224.229" - [05/Jun/2014" as highlighted in the preview Window.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-16-2014 01:28 PM

I created some sample log file with timestamp format specified by you and bunch of other format in same log file, and splunk is able to recognize it(without specifying Time format). Do you face any issue with your logs?
Sample test log created.

2014-06-05T05:03:53-07:00 name=this
2014-06-05 05:04:53-07:00 name=is
06/05/2014 05:05:53 -07:00 name=datetime
06/05/2014:05:06:53 -07:00 name=test

0 Karma
Reply
Solved! Jump to solution

jayannah
Builder
‎06-16-2014 01:18 PM

Let me be more specific about my question.

Note that the "T" appears literally in the string, to indicate the beginning of the time element, as specified in ISO 8601.

So, I'm of looking if there is way to mention about the timeformat used is ISO-8601. Like we mention TZ for timezone. Like this, is there something similar to mention say TF=ISO-8601 to indicate the timeformat used in the log is ISO-8601 compliance.

Hope this clarifies my question.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-16-2014 07:42 AM

Add following in your sourcetype configuration in props.conf.

[YourSourceType]
..Other stuffs..
...
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top