Solved: How to set the the correct timestamp recognition a...

LuiesCui · ‎03-06-2015

Hey guys, I'm new to splunk and I need ur help!!!

A .log file is loaded by forwarder to Splunk and is setting the wrong timestamp like this:

Actual time

15/03/03 23:59:43.000
Events

Mon,02Mar 23:59:43 Flow Control Request counter: [1]

So I tried to set the timestamp by editing the props.conf, like this:

[palink_log]
CHARSET = CN-GB
NO_BINARY_CHECK = true
priority = 1
TIME_PREFIX = \w{3},
TIME_FORMAT = %d%b %H:%M:%S

It doesn't help and there's no year data in events. How do I set the the correct timestamp manually for this single file?

srinathd · ‎03-06-2015

Try this TIME_FORMAT=%a,%d%b %H:%M:%S

srinathd · ‎03-06-2015

Try this TIME_FORMAT=%a,%d%b %H:%M:%S

cpetterborg · ‎03-06-2015

If you do, get rid of the TIME_PREFIX, as it will conflict with the parsing of the time.

LuiesCui · ‎03-06-2015

And how do I set year?

How to set the the correct timestamp recognition and formatting in props.conf?