Solved: Re: How do we handle white space in TIME_FORMAT?

ddrillic · ‎04-23-2019

I have a log file with events that start like - 2019-01-09 11:19:37 WARN.

We ended up using TIME_FORMAT=%Y-%m-%d%t%H:%M:%S and I don't like the %t (tab) part.

Is there a better way to handle the white space in TIME_FORMAT?

adonio · ‎04-23-2019

Just a space " "

nothing more nothing else

sometimes you will see capital T
check out this example and see

| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")

hope it helps

View solution in original post

woodcock · ‎04-23-2019

You can use combinations of %r, %n, %t and a regular space character. The numbers are not important, but the order is.

tomasmoser · ‎09-18-2020

Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables.

Again, great knowledge!

ddrillic · ‎04-23-2019

Thank you @woodcock !!!

ddrillic · ‎04-23-2019

@woodcock, will a tab in the data be captured by a space in TIME_FORMAT=%Y-%m-%d %H:%M:%S?

woodcock · ‎04-23-2019

No, you need to use %t.

ddrillic · ‎04-24-2019

Wow - a bit limiting ; -)

adonio · ‎04-23-2019

Just a space " "

nothing more nothing else

sometimes you will see capital T
check out this example and see

| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")

hope it helps

ddrillic · ‎04-23-2019

Interesting, I added a couple of spaces here between and the date and the time -

 | eval time_with_space1 = "2019-01-09    11:19:37"

And it still works!!!

So, the space within "%Y-%m-%d %H:%M:%S" is stretchable, right?

My conclusion is that any combination of spaces and tabs in the data should be condensed to one space within TIME_FORMAT. I hope it's correct.

ddrillic · ‎04-23-2019

Thank you @adonio !!!

ddrillic · ‎04-23-2019

The SE said -

You just leave a blank space;

TIME_FORMAT=%Y-%m-%d %H:%M:%S

How do we handle white space in TIME_FORMAT?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation