Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help me with Time formt and time prefix

shreya17
Explorer
‎07-07-2021 11:55 AM

I need help to write time format and time prefix for below  timelogs. Please note these are seperate logs, hence need different timeformat and timeprefix for all three. Help will be appreciated, Thanks in advance!

####<30/06/2021 11:13:08,975 PM AEST>

####<Jul 3, 2021 4:25:41,233 PM AEST>

[2021-07-06T23:59:58.849+10:00]

 

Trying to get this added in props.conf file in below format, need assistance with timeformat and timeprefix

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = 
TIME_PREFIX =

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎07-07-2021 12:40 PM

Hi. Instead of us just providing you with the answer, do you want to take a crack at the timestamp settings?

Here are documented examples on the date/time format settings: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition#Examples

I also came across this handy video that shows you how to interact with Splunk and test these settings.

 https://www.youtube.com/watch?v=Q5EWCT79nZ4

Give the settings a try and let us know what works/doesn't work or that you have questions about. Thanks!

0 Karma
Reply

shreya17
Explorer
‎07-08-2021 08:12 AM

Hey @burwell  I did give a try. Let me know if this is good.

####<30/06/2021 11:13:08,975 PM AEST>

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %d/%m/%Y %I:%M:%S,%3N %p
TIME_PREFIX = \####<

 

####<Jul 3, 2021 4:25:41,233 PM AEST>

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %b %d, %Y %I:%M:%S,%3N %p
TIME_PREFIX = \####<

 

[2021-07-06T23:59:58.849+10:00]  -- (not sure of this one)

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N  
TIME_PREFIX = \[

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎07-09-2021 01:53 PM

@shreya17  Great job!

I tested these and they seem correct.

A couple of settings I like to add

  • MAX_TIMESTAMP_LOOKAHEAD .. make it be the total number of characters in the time including timezone etc
  • SHOULD_LINEMERGE=false
  • LINE_BREAKER=([\r\n]+)..     This one you put the regular expression that matches the beginning of an event. That way if there's some garbage lines they won't be treated as single events (if you want that) e.g. for 2 of your events it would be LINE_BREAKER=([\r\n]+\####<
  • TRUNCATE=9999 or whatever you want. The maximum line length you will accept


0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...