Re: Format Date

nikhilmehra79 · ‎03-11-2014

Hi -

I have a raw event which has raw event lines as
"11-Mar-14 9:38:58 PM",300,64.00000000
This was from today 11 March 2014

Now the event Date as figured by Splunk is
» 3/14/11
9:38:58.000 PM
Splunk is treating it as one event from year 2011

I read through time formatting document and made changes in props.conf with new event type
but still no luck.
My props.conf looks like:

[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N %Z

Not sure why it is not working, any suggestion will be greatly appreciated. I also tried
TIME_FORMAT = %d-%b-%y %H:%M:%S with no luck. Please suggest/help

linu1988 · ‎03-12-2014

Hello,
Could you try this?

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true

Thanks

linu1988 · ‎03-13-2014

once this is recognized in splunk, the defualt _time field will be assigned. transforms is not affected by this change.

Feel free to accept as answer..

nikhilmehra79 · ‎03-13-2014

i think this worked my props.conf looks as below,
i have a quick question though - does this mean the raw format in event is now changed and indexed like that and i do not need to modify muy transforms.conf as i pointed above, is props.conf entry for TIME_FORMAT and TIME_PREFIX is enough to make this change in raw events for future.
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true

somesoni2 · ‎03-12-2014

Try this

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
pulldown_type = true 
TIME_FORMAT = "%d-%b-%y %H:%M:%S %p

yannK · ‎03-11-2014

probably 3 issues :
- the %Z, there is not timezone in your timestamp
- and the %3N for the millisecongs, they are none in your timestamp
- and if you have PM/AM notation , it means that your hour is on a 12'clock not a 24h clock
check the documentation for the TIME_FORMAT

nikhilmehra79 · ‎03-12-2014

and say splunk read at 5:00 then splunk is showing 5:00 as time for all events instead of individual events as logged in log file

nikhilmehra79 · ‎03-12-2014

Rakesh thanks....actually i tried similar one :
Here is my props.conf
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TRANSFORMS-sortdate = resortdate
TIME_PREFIX=^\d+
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

and my transforms.conf
[resortdate]
REGEX = ^(\d{2})-(.*)-(\d{2})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw

I am able to get date moved to current day with this but all the events in file inserted in splunk at one time - so say i have 10 events with time stamp 1:00, time stamp 2:00, time stamp 3:00 in log file

rakesh_498115 · ‎03-11-2014

Hi nikhil,

can u pls try the following ??

TIME_PREFIX = \"
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

nikhilmehra79 · ‎03-11-2014

So i even tried
%d-%b-%y %H:%M:%S %p
%p for AM and PM

Format Date

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup