Re: Date Parsing

dmrhodes101 · ‎07-04-2012

Hi all

I have the following in a log file that we're passing to Splunk:

Log for 03/07/2012 06:47:43

The date is being parsed as 07/03/2012 so we added:

TIME_PREFIX = "Log for "

TIME_FORMAT = %d/%m/%Y %H:%M:%S

to PROPS.CONF

I'm still getting 07/03 and also a "Could not use strptime to parse timestamp".

Can anyone assist?
Thanks

dmrhodes101 · ‎10-05-2012

Hi,

I changed the PROPS.CONF file to read:

[EDICOMMS]

NO_BINARY_CHECK = 1

pulldown_type = 1

TIME_PREFIX = Log for

TIME_FORMAT = %d/%m/%Y %H:%M:%S

SHOULD_LINEMERGE = TRUE

BREAK_ONLY_BEFORE = Log for

And that fixed my problem.

Dave

elaine0102 · ‎10-05-2012

Glad that you managed to solve it.
However, it could not solve mine.
Thank you for replying 🙂

dmrhodes101 · ‎07-09-2012

Now trying to create a new data input and getting the same error again:

From PROPS.CONF

[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for 
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = True
BREAK_ONLY_AFTER =  <NEWRECORD>

Output:

116     03/07/2012 04:20:06.000   Log for 03/07/2012 04:20:06
                                  "CUSTOMER:*******" <NEWRECORD> 

117     03/07/2012 04:20:18.000   Log for 03/07/2012 04:20:18
                                  Unknown issue. Type DIR Error 20142 550 No matching files pouet
                                  "CUSTOMER:*******" <NEWRECORD> 

118     03/07/2012 04:20:21.000   Log for 03/07/2012 04:20:21
                                  "CUSTOMER:********" <NEWRECORD> 

119     03/07/2012 04:20:25.000   Log for 03/07/2012 04:20:25
                                  "CUSTOMER:********" <NEWRECORD> 

120     03/07/2012 04:22:39.000   Log for 03/07/2012 04:22:39
                                  "CUSTOMER:*****" <NEWRECORD>

Each event has the "Could not use strptime to parse timestamp" warning, but seems to have converted the timestamp correctly.

Anyone know what I' doing wrong?

elaine0102 · ‎10-04-2012

Hi, have you solve this?
I am having the same issue as you and not sure what to do.

dmrhodes101 · ‎07-06-2012

Curse my stupidity. I had forgotten to restart Splunk when I made the change above.

Ayn · ‎07-04-2012

Your TIME_PREFIX is wrong. It shouldn't include quotes, as Splunk will interpret that as that it should literally match the whole string including the quotes.

Ayn · ‎07-05-2012

Are you looking at newly indexed data? Data that is already in the index will not be affected by these changes. Also I'm assuming that you're sure that this relates to how Splunk parses the data, not how it outputs it in the web UI...

dmrhodes101 · ‎07-05-2012

Thanks Ayn

I've changed that, but there's no difference I'm afraid.

The date is highlighted, but it insists on converting to a US date.

Date Parsing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation