Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp in _raw contains p.m. -How to configure props.conf to correctly interpret this format?

lessthan80
Explorer
‎03-03-2023 12:50 PM

the output in splunk console:
3/3/23
2:05:41.000 AM

03/03/2023 02:05:41 p.m. 14664 5046661

Note that the splunk _time is pulling the timestamp from _raw, but not interpreting the "p.m." so splunk is posting the time of the event as 2:05 AM.  I have have tried a few different combinations for the TIME_FORMAT in the props.conf file, and nothing is helping.

here is the current TIME_FORMAT stanza

[###_###_###_#######]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%m/%Y %I:%M:%S
TIME_PREFIX = ^
category = Custom
disabled = false
pulldown_type = true
EXTRACT-total_processing_time = ^[^\t\n]*\t(?P<total_processing_time>\d+\t)
EXTRACT-application_id = ^(?:[^\t\n]*\t){2}(?P<application_id>.+)

current TIME_FORMAT
TIME_FORMAT = %d/%m/%Y %I:%M:%S
I've tried this with %p and %P with no success.   Any ideas?

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-04-2023 02:23 AM

Custom datetime.xml is one way you can go. You can also use INGEST-EVAL to adjust your timestamp in post-extraction processing. See the great .conf presentation

https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

There are several examples of dealing with timestamps there.

View solution in original post

Reply
Solved! Jump to solution

lessthan80
Explorer
‎03-07-2023 05:57 AM

I started reviewing both answers and they both appear to be correct.   With this information i expect to be able the correct the eventtime problem.   Thanks to both.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:24 PM

It looks like the dots in "p.m." are getting in the way.  The %p format character expects either "am" or "pm" (in either case) - no dots.

You may be able to parse that timestamp with a custom datetime.xml file.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configuredatetimexml#:~:text=The%20Spl....

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-04-2023 02:23 AM

Custom datetime.xml is one way you can go. You can also use INGEST-EVAL to adjust your timestamp in post-extraction processing. See the great .conf presentation

https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

There are several examples of dealing with timestamps there.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...