Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove square brackets from timestamp

jbesant
Explorer
‎02-04-2021 05:09 AM

Hi, hoping someone can help with this as its been a while since I used Splunk and I can't seem to figure this out!

I'm trying to import a csv that has a field with a time format of:

[20210102] 06:58.10

I have tried TIME_FORMAT=%Y%m%d %H:%M.%S

and I get a _time field that is correct except it doesn't show the seconds. the above is returned as 02/01/2021 06:58:00

I'm pretty sure its to do with the way the square brackets are being interpreted but can't seem to work out how to ignore them. Adding them into the TIME_FORMAT string doesn't help.

Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2021 05:27 AM

Include the brackets in the time format

TIME_PREFIX = \[
TIME_FORMAT = %Y%m%d] %H:%M.%S
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2021 05:27 AM

Include the brackets in the time format

TIME_PREFIX = \[
TIME_FORMAT = %Y%m%d] %H:%M.%S
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jbesant
Explorer
‎02-04-2021 05:48 AM

No, sorry, that doesn't work. I also tried TIME_PREFIX=^\[

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2021 11:07 AM

How are you testing it?  If you're editing a props.conf file then be sure to restart Splunk afterwards.  Also, make sure to edit the correct file.

You know the settings only apply to new data, right?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jbesant
Explorer
‎02-05-2021 03:23 AM

Many thanks, forgot to do the restart.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...