Solved: Remove square brackets from timestamp

jbesant · ‎02-04-2021

Hi, hoping someone can help with this as its been a while since I used Splunk and I can't seem to figure this out!

I'm trying to import a csv that has a field with a time format of:

[20210102] 06:58.10

I have tried TIME_FORMAT=%Y%m%d %H:%M.%S

and I get a _time field that is correct except it doesn't show the seconds. the above is returned as 02/01/2021 06:58:00

I'm pretty sure its to do with the way the square brackets are being interpreted but can't seem to work out how to ignore them. Adding them into the TIME_FORMAT string doesn't help.

Thanks.

richgalloway · ‎02-04-2021

Include the brackets in the time format

TIME_PREFIX = \[
TIME_FORMAT = %Y%m%d] %H:%M.%S

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-04-2021

Include the brackets in the time format

TIME_PREFIX = \[
TIME_FORMAT = %Y%m%d] %H:%M.%S

---
If this reply helps you, Karma would be appreciated.

jbesant · ‎02-04-2021

No, sorry, that doesn't work. I also tried TIME_PREFIX=^\[

richgalloway · ‎02-04-2021

How are you testing it? If you're editing a props.conf file then be sure to restart Splunk afterwards. Also, make sure to edit the correct file.

You know the settings only apply to new data, right?

---
If this reply helps you, Karma would be appreciated.

jbesant · ‎02-05-2021

Many thanks, forgot to do the restart.

Remove square brackets from timestamp

field extraction

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!