Splunk Search
Highlighted

Format Date

Path Finder

Hi -

I have a raw event which has raw event lines as
"11-Mar-14 9:38:58 PM",300,64.00000000
This was from today 11 March 2014

Now the event Date as figured by Splunk is
» 3/14/11
9:38:58.000 PM
Splunk is treating it as one event from year 2011

I read through time formatting document and made changes in props.conf with new event type
but still no luck.
My props.conf looks like:

[csv-2]
KVMODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD
LINEMERGE = False
pulldowntype = true
TIME
FORMAT = %d-%b-%y %H:%M:%S.%3N %Z

Not sure why it is not working, any suggestion will be greatly appreciated. I also tried
TIME_FORMAT = %d-%b-%y %H:%M:%S with no luck. Please suggest/help

0 Karma
Highlighted

Re: Format Date

Splunk Employee
Splunk Employee

probably 3 issues :
- the %Z, there is not timezone in your timestamp
- and the %3N for the millisecongs, they are none in your timestamp
- and if you have PM/AM notation , it means that your hour is on a 12'clock not a 24h clock
check the documentation for the TIME_FORMAT

0 Karma
Highlighted

Re: Format Date

Path Finder

So i even tried
%d-%b-%y %H:%M:%S %p
%p for AM and PM

0 Karma
Highlighted

Re: Format Date

Motivator

Hi nikhil,

can u pls try the following ??

TIMEPREFIX = \"
TIME
FORMAT = %d-%b-%y %H:%M:%S %p

0 Karma
Highlighted

Re: Format Date

Path Finder

Rakesh thanks....actually i tried similar one :
Here is my props.conf
KVMODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD
LINEMERGE = False
pulldowntype = true
TRANSFORMS-sortdate = resortdate
TIME
PREFIX=^\d+
TIME_FORMAT = %d-%b-%y %H:%M:%S %p

and my transforms.conf
[resortdate]
REGEX = ^(\d{2})-(.*)-(\d{2})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw

I am able to get date moved to current day with this but all the events in file inserted in splunk at one time - so say i have 10 events with time stamp 1:00, time stamp 2:00, time stamp 3:00 in log file

0 Karma
Highlighted

Re: Format Date

Path Finder

and say splunk read at 5:00 then splunk is showing 5:00 as time for all events instead of individual events as logged in log file

0 Karma
Highlighted

Re: Format Date

SplunkTrust
SplunkTrust

Try this

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
pulldown_type = true 
TIME_FORMAT = "%d-%b-%y %H:%M:%S %p
0 Karma
Highlighted

Re: Format Date

Champion

Hello,
Could you try this?

[csv-2] 
KV_MODE = none 
REPORT-AutoHeader = AutoHeader-1 
SHOULD_LINEMERGE = False 
TIME_FORMAT = %d-%b-%y %I:%M:%S %p
TIME_PREFIX="
pulldown_type = true 

Thanks

0 Karma
Highlighted

Re: Format Date

Path Finder

i think this worked my props.conf looks as below,
i have a quick question though - does this mean the raw format in event is now changed and indexed like that and i do not need to modify muy transforms.conf as i pointed above, is props.conf entry for TIMEFORMAT and TIMEPREFIX is enough to make this change in raw events for future.
[csv-2]
KVMODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD
LINEMERGE = False
TIMEFORMAT = %d-%b-%y %I:%M:%S %p
TIME
PREFIX="
pulldown_type = true

0 Karma
Highlighted

Re: Format Date

Champion

once this is recognized in splunk, the defualt _time field will be assigned. transforms is not affected by this change.

Feel free to accept as answer..

0 Karma