Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help me with Time formt and time prefix

shreya17
Explorer
‎07-07-2021 11:55 AM

I need help to write time format and time prefix for below  timelogs. Please note these are seperate logs, hence need different timeformat and timeprefix for all three. Help will be appreciated, Thanks in advance!

####<30/06/2021 11:13:08,975 PM AEST>

####<Jul 3, 2021 4:25:41,233 PM AEST>

[2021-07-06T23:59:58.849+10:00]

 

Trying to get this added in props.conf file in below format, need assistance with timeformat and timeprefix

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = 
TIME_PREFIX =

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎07-07-2021 12:40 PM

Hi. Instead of us just providing you with the answer, do you want to take a crack at the timestamp settings?

Here are documented examples on the date/time format settings: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition#Examples

I also came across this handy video that shows you how to interact with Splunk and test these settings.

 https://www.youtube.com/watch?v=Q5EWCT79nZ4

Give the settings a try and let us know what works/doesn't work or that you have questions about. Thanks!

0 Karma
Reply

shreya17
Explorer
‎07-08-2021 08:12 AM

Hey @burwell  I did give a try. Let me know if this is good.

####<30/06/2021 11:13:08,975 PM AEST>

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %d/%m/%Y %I:%M:%S,%3N %p
TIME_PREFIX = \####<

 

####<Jul 3, 2021 4:25:41,233 PM AEST>

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %b %d, %Y %I:%M:%S,%3N %p
TIME_PREFIX = \####<

 

[2021-07-06T23:59:58.849+10:00]  -- (not sure of this one)

DATETIME_CONFIG =
NO_BINARY_CHECK = true
TZ = Australia/Sydney
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N  
TIME_PREFIX = \[

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎07-09-2021 01:53 PM

@shreya17  Great job!

I tested these and they seem correct.

A couple of settings I like to add

  • MAX_TIMESTAMP_LOOKAHEAD .. make it be the total number of characters in the time including timezone etc
  • SHOULD_LINEMERGE=false
  • LINE_BREAKER=([\r\n]+)..     This one you put the regular expression that matches the beginning of an event. That way if there's some garbage lines they won't be treated as single events (if you want that) e.g. for 2 of your events it would be LINE_BREAKER=([\r\n]+\####<
  • TRUNCATE=9999 or whatever you want. The maximum line length you will accept


0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...