Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

_time format in props config file

k_harini
Communicator
‎08-09-2017 11:58 PM

I have time_submitted in this format - 10-08-2017 16:20:40 AEST, so in props file I gave in this format
TIMESTAMP_FIELDS = created_on
TIME_FORMAT = %d-%m-%Y %H:%M:%S %Z

Is this correct? when indexing data it takes index time instead of created_on.. Experts, kindly help

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2017 12:14 AM

Hi k_harini,
your TIME_FORMAT seems to be correct, anyway the easiest way to test it is to dowload an example of your logs and then use the web interface Add data function (Settings -- Add data -- Add local data] to immediately test your TIME_FORMAT.

Only an additional information: where do you put your props.con containing TIME_FORMAT?
It must be on the Indexer (with the only exceprion of csv files) not on the forwarder.

Bye.
Giuseppe

0 Karma
Reply

dshakespeare_sp
Splunk Employee
Splunk Employee
‎08-10-2017 12:13 AM

Your TIME_FORMAT looks correct. TIMESTAMP_FIELDS = created_on suggests that this is a csv file is this correct?
It would be useful to see the output from 'splunk cmd btool props list --debug' for the source / source type and a sample of the datafile including the header. The props.conf needs to be placed where the data is parsed (usually Indexer or HWF) or on the UF if you are using INDEXED_EXTRACTIONS = csv

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...