Re: I need help with time stamp recognition

kjetil · ‎07-06-2012

Hi.

I've just started with Splunk and need help setting up file input. The log files looks like the below. A header row and one row per event. Each event starts with a number from 0 to whatever, the date, the time and a lot of other fields - all fields separated by semicolon

0;30Jun2012;23:30:00;

567498;1Jul2012;11:26:44;

What I need help with is setting up the recognition. Auto does not work and I'm no too good with regular expressions.

Anyone?

Share and enjoy
Kjetil

Ayn · ‎07-06-2012

It's not regular expressions you need, but rather strftime/strptime style definitions. I usually go to http://strftime.org/ for a quick reference on them - or if the short version there doesn't cover what I want, I do man strftime in a UNIX shell. These definitions should go in the TIME_FORMAT directive in the appropriate section in props.conf. So for your logs it should be something like:

[your_sourcetype]
TIME_FORMAT = %e%b%Y;%H:%M:%S

I need help with time stamp recognition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation