Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp in _raw contains p.m. -How to configure props.conf to correctly interpret this format?

lessthan80
Explorer
‎03-03-2023 12:50 PM

the output in splunk console:
3/3/23
2:05:41.000 AM

03/03/2023 02:05:41 p.m. 14664 5046661

Note that the splunk _time is pulling the timestamp from _raw, but not interpreting the "p.m." so splunk is posting the time of the event as 2:05 AM.  I have have tried a few different combinations for the TIME_FORMAT in the props.conf file, and nothing is helping.

here is the current TIME_FORMAT stanza

[###_###_###_#######]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%m/%Y %I:%M:%S
TIME_PREFIX = ^
category = Custom
disabled = false
pulldown_type = true
EXTRACT-total_processing_time = ^[^\t\n]*\t(?P<total_processing_time>\d+\t)
EXTRACT-application_id = ^(?:[^\t\n]*\t){2}(?P<application_id>.+)

current TIME_FORMAT
TIME_FORMAT = %d/%m/%Y %I:%M:%S
I've tried this with %p and %P with no success.   Any ideas?

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-04-2023 02:23 AM

Custom datetime.xml is one way you can go. You can also use INGEST-EVAL to adjust your timestamp in post-extraction processing. See the great .conf presentation

https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

There are several examples of dealing with timestamps there.

View solution in original post

Reply
Solved! Jump to solution

lessthan80
Explorer
‎03-07-2023 05:57 AM

I started reviewing both answers and they both appear to be correct.   With this information i expect to be able the correct the eventtime problem.   Thanks to both.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:24 PM

It looks like the dots in "p.m." are getting in the way.  The %p format character expects either "am" or "pm" (in either case) - no dots.

You may be able to parse that timestamp with a custom datetime.xml file.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configuredatetimexml#:~:text=The%20Spl....

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-04-2023 02:23 AM

Custom datetime.xml is one way you can go. You can also use INGEST-EVAL to adjust your timestamp in post-extraction processing. See the great .conf presentation

https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

There are several examples of dealing with timestamps there.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...