I am new in Splunk. Now, I am facing a problem.
The date in every event is as the following:
12/10/22
The splunk cannot read the date, then it displays the time when the file creates.
I have tried to add the TIME_FORMAT = %y/%m/%d in props.conf.
But it doesn't work. Is there anything I did wrong? Any idea? Thanks.
I've personally had trouble with date-only "time"stamps in the past as well, and my fix was to add a bogus 00:00:00 time to the date. That way you have a much easier task of getting the event dated correctly.
This may be possible with a SEDCMD in props.conf (something along the lines of s/(\d\d\/\d\d\/\d\d)/\1 00:00:00/), but I'm not 100% certain whether it gets applied before or after timestamp parsing. You should give it a try.
I've personally had trouble with date-only "time"stamps in the past as well, and my fix was to add a bogus 00:00:00 time to the date. That way you have a much easier task of getting the event dated correctly.
This may be possible with a SEDCMD in props.conf (something along the lines of s/(\d\d\/\d\d\/\d\d)/\1 00:00:00/), but I'm not 100% certain whether it gets applied before or after timestamp parsing. You should give it a try.
Zyxcc, apologies - I stand corrected (thanks martin_m).
There is a TIME_PREFIX to be found in props.conf which tells Splunk where to start matching from and another parameter MAX_TIMESTAMP_LOOKAHEAD to span how many characters it should look for a timestamp. I'd backup the file and edit a new version into your /local and try a few combinations of those.
Sorry I can't be of more help - You data example looks pretty simple unless its an extract of a larger event. P160-164 of the Splunk Data manual has more.
