Splunk Search

Format Date

nikhilmehra79
Path Finder

Hi -

I have a raw event which has raw event lines as
"11-Mar-14 9:38:58 PM",300,64.00000000
This was from today 11 March 2014

Now the event Date as figured by Splunk is
» 3/14/11
9:38:58.000 PM
Splunk is treating it as one event from year 2011

I read through time formatting document and made changes in props.conf with new event type
but still no luck.
My props.conf looks like:

[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N %Z

Not sure why it is not working, any suggestion will be greatly appreciated. I also tried
TIME_FORMAT = %d-%b-%y %H:%M:%S with no luck. Please suggest/help

0 Karma

linu1988
Champion

Hello,
Could you try this?

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true 

Thanks

0 Karma

linu1988
Champion

once this is recognized in splunk, the defualt _time field will be assigned. transforms is not affected by this change.

Feel free to accept as answer..

0 Karma

nikhilmehra79
Path Finder

i think this worked my props.conf looks as below,
i have a quick question though - does this mean the raw format in event is now changed and indexed like that and i do not need to modify muy transforms.conf as i pointed above, is props.conf entry for TIME_FORMAT and TIME_PREFIX is enough to make this change in raw events for future.
[csv-2]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true

0 Karma

somesoni2
Revered Legend

Try this

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
pulldown_type = true 
TIME_FORMAT = "%d-%b-%y %H:%M:%S %p
0 Karma

yannK
Splunk Employee
Splunk Employee

probably 3 issues :
- the %Z, there is not timezone in your timestamp
- and the %3N for the millisecongs, they are none in your timestamp
- and if you have PM/AM notation , it means that your hour is on a 12'clock not a 24h clock
check the documentation for the TIME_FORMAT

0 Karma

nikhilmehra79
Path Finder

and say splunk read at 5:00 then splunk is showing 5:00 as time for all events instead of individual events as logged in log file

0 Karma

nikhilmehra79
Path Finder

Rakesh thanks....actually i tried similar one :
Here is my props.conf
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TRANSFORMS-sortdate = resortdate
TIME_PREFIX=^\d+
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

and my transforms.conf
[resortdate]
REGEX = ^(\d{2})-(.*)-(\d{2})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw

I am able to get date moved to current day with this but all the events in file inserted in splunk at one time - so say i have 10 events with time stamp 1:00, time stamp 2:00, time stamp 3:00 in log file

0 Karma

rakesh_498115
Motivator

Hi nikhil,

can u pls try the following ??

TIME_PREFIX = \"
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

0 Karma

nikhilmehra79
Path Finder

So i even tried
%d-%b-%y %H:%M:%S %p
%p for AM and PM

0 Karma
Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk + Cisco joined the global celebration of CX Day - celebrating our ...