Splunk Search

Default _time

camah4
New Member

I have an example log file with the following format:

Nov 05 10:33:37 servername applicationserver: instance,ipaddress,[05/Nov/2011:10:33:33 +0000]

I would like the second time column which contains [05/Nov/2011:10:33:33 +0000] to be column which is used for _time at index time, currently by default it uses Nov 05 10:33:37.

Any suggestion on how to tech splunk to use the alternative timestamp for _time would be appreciated.

Thanks

Tags (1)
0 Karma

tgow
Splunk Employee
Splunk Employee

Here is an example of a props.conf that could work:

[yoursourcetype]
TIME_PREFIX = ,\[
TIME_FORMAT = %d/%h/%Y:%T

You might need to change this depending on if you are using a 24-hour clock or not.

Takajian
Builder

You can extract timestamp as you want. Please see following manual. This will help your question.

http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configuretimestamprecognition

DUThibault
Contributor

Version 4.2.4 is long dead. This link still works as of version 7.2.6 : https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...