Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

_time format in props config file

k_harini
Communicator
‎08-09-2017 11:58 PM

I have time_submitted in this format - 10-08-2017 16:20:40 AEST, so in props file I gave in this format
TIMESTAMP_FIELDS = created_on
TIME_FORMAT = %d-%m-%Y %H:%M:%S %Z

Is this correct? when indexing data it takes index time instead of created_on.. Experts, kindly help

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-10-2017 12:14 AM

Hi k_harini,
your TIME_FORMAT seems to be correct, anyway the easiest way to test it is to dowload an example of your logs and then use the web interface Add data function (Settings -- Add data -- Add local data] to immediately test your TIME_FORMAT.

Only an additional information: where do you put your props.con containing TIME_FORMAT?
It must be on the Indexer (with the only exceprion of csv files) not on the forwarder.

Bye.
Giuseppe

0 Karma
Reply

dshakespeare_sp
Splunk Employee
Splunk Employee
‎08-10-2017 12:13 AM

Your TIME_FORMAT looks correct. TIMESTAMP_FIELDS = created_on suggests that this is a csv file is this correct?
It would be useful to see the output from 'splunk cmd btool props list --debug' for the source / source type and a sample of the datafile including the header. The props.conf needs to be placed where the data is parsed (usually Indexer or HWF) or on the UF if you are using INDEXED_EXTRACTIONS = csv

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...