Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different date format in same log

pero1234
Path Finder
‎07-01-2011 08:10 AM

How can I pars this log with different date format?

data.log:

2011.06.30 16:06:11 data data data data bla bla
30.06.2011. 16:06:10 data data data bla bla data
...
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2011 08:57 AM

You can't use TIME_FORMAT in this example, because that assumes there is a single timestamp format within the file.

It's possible that both of these formats are in datetime.xml already, which would let Splunk parse them without help. If not, you could make a custom datetime.xml that has both of these formats in it. That should let the timestamp parser differentiate between the two and parse appropriately.

http://www.splunk.com/base/Documentation/4.2.2/Data/TrainSplunkToRecognizeATimestamp#Createacustomda...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pero1234
Path Finder
‎07-01-2011 12:52 PM

I need include both date format. I need include everything in this log.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2011 08:57 AM

You can't use TIME_FORMAT in this example, because that assumes there is a single timestamp format within the file.

It's possible that both of these formats are in datetime.xml already, which would let Splunk parse them without help. If not, you could make a custom datetime.xml that has both of these formats in it. That should let the timestamp parser differentiate between the two and parse appropriately.

http://www.splunk.com/base/Documentation/4.2.2/Data/TrainSplunkToRecognizeATimestamp#Createacustomda...

0 Karma
Reply
Solved! Jump to solution

pero1234
Path Finder
‎07-01-2011 01:02 PM

THX for help. It seems that splunk correctly recognize and separate events without define sourcetype.
I try to define sourcetype=datalog and in props.conf define just stanza name without any options and works!

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-01-2011 08:38 AM

Could you edit your question to clarify what you'd like to see in terms of a date format? Which of the two formats here would you like to include/exclude?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...