Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract date and time in Splunk?

DonDandrea
Path Finder
‎06-12-2014 12:36 PM

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below. 

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you,
Don

Tags (3)
0 Karma
Reply

DonDandrea
Path Finder
‎06-13-2014 12:19 PM

I tried this and it worked for the entries that have a time. The entried that do not have time are indexed with the date the file was indexed. To be quite honest I don't care about the time. The entries are once a day. The date is the important piece.

0 Karma
Reply

lguinn2
Legend
‎06-12-2014 02:06 PM

As long as you keep the different sources in different input files or streams, you should be fine. But I think you will make yourself nuts if you mix more than one timestamp format in the same input.

For each input where you want to specify the time format, you will need an entry in props.conf

[source::/path/to/your/source/file.ext]
TIME_FORMAT=%m/%d/%y
MAX_TIMESTAMP_LOOKAHEAD = 50

This props.conf belongs on the indexer(s) that parse the data, not on the forwarders.

The MAX_TIMESTAMP_LOOKAHEAD is not required, but it is a good idea. I have set it so that it only examines the first 50 characters of the event for the timestamp.

More information here: How Splunk extracts timestamps

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top