Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I handle a time stamp with flexible spaces?

ddrillic
Ultra Champion
‎04-03-2019 01:57 PM

We have a syslog data that was written to disk via the FULLDATE macro. For today, it looks like — 2019 Apr 3 19:30:01 with double space. I assume that it would be 2019 Apr 13 19:30:01 in ten days with only one space.

I wonder which format to use in props.conf -

TIME_FORMAT=%Y %b %d %H:%M:%S works fine for 2019 Apr 3 19:30:01 but not for 2019 Apr 13 19:30:01, which is counter intuitive to me.

On Unix, I see -

date "+%Y %b %d %H:%M:%S" as 2019 Apr 03 15:45:41. Apparently space and zero are interchangeable.

Any ideas?

Tags (2)
0 Karma
Reply

ddrillic
Ultra Champion
‎04-03-2019 06:23 PM

This warning threw me off ; -)alt text

0 Karma
Reply

ddrillic
Ultra Champion
‎04-03-2019 06:17 PM

It seems that it was my bad - it works just fine.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...