Splunk Search

Format Date

nikhilmehra79
Path Finder

Hi -

I have a raw event which has raw event lines as
"11-Mar-14 9:38:58 PM",300,64.00000000
This was from today 11 March 2014

Now the event Date as figured by Splunk is
» 3/14/11
9:38:58.000 PM
Splunk is treating it as one event from year 2011

I read through time formatting document and made changes in props.conf with new event type
but still no luck.
My props.conf looks like:

[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N %Z

Not sure why it is not working, any suggestion will be greatly appreciated. I also tried
TIME_FORMAT = %d-%b-%y %H:%M:%S with no luck. Please suggest/help

0 Karma

linu1988
Champion

Hello,
Could you try this?

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true 

Thanks

0 Karma

linu1988
Champion

once this is recognized in splunk, the defualt _time field will be assigned. transforms is not affected by this change.

Feel free to accept as answer..

0 Karma

nikhilmehra79
Path Finder

i think this worked my props.conf looks as below,
i have a quick question though - does this mean the raw format in event is now changed and indexed like that and i do not need to modify muy transforms.conf as i pointed above, is props.conf entry for TIME_FORMAT and TIME_PREFIX is enough to make this change in raw events for future.
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
pulldown_type = true 
TIME_FORMAT = "%d-%b-%y %H:%M:%S %p
0 Karma

yannK
Splunk Employee
Splunk Employee

probably 3 issues :
- the %Z, there is not timezone in your timestamp
- and the %3N for the millisecongs, they are none in your timestamp
- and if you have PM/AM notation , it means that your hour is on a 12'clock not a 24h clock
check the documentation for the TIME_FORMAT

0 Karma

nikhilmehra79
Path Finder

and say splunk read at 5:00 then splunk is showing 5:00 as time for all events instead of individual events as logged in log file

0 Karma

nikhilmehra79
Path Finder

Rakesh thanks....actually i tried similar one :
Here is my props.conf
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TRANSFORMS-sortdate = resortdate
TIME_PREFIX=^\d+
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

and my transforms.conf
[resortdate]
REGEX = ^(\d{2})-(.*)-(\d{2})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw

I am able to get date moved to current day with this but all the events in file inserted in splunk at one time - so say i have 10 events with time stamp 1:00, time stamp 2:00, time stamp 3:00 in log file

0 Karma

rakesh_498115
Motivator

Hi nikhil,

can u pls try the following ??

TIME_PREFIX = \"
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

0 Karma

nikhilmehra79
Path Finder

So i even tried
%d-%b-%y %H:%M:%S %p
%p for AM and PM

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...