Solved: Re: Splunk not recognizing the date format

oliverkunert · ‎08-11-2017

Splunk is not recognizing the date and time of my data correctly.
My data is in the common log format. An example of a line would be:

192.168.2.1 Logname Username [02/Aug/2002:20:16:59 -0700] "GET /img/pic.jpg HTTP/1.0" 200 56812

Where 02/Aug/2002 would be the date, 20:16:59 the time and -0700 the timezone.
It has a unique sourcetype that is correctly assigned.
When searching for the data the _time field shows incorrect and semi-random values.

My props.conf:

[mysourcetype]
TIME_FORMAT=[%d/%b/%Y:%H:%M:%S %z]
TIME_PREFIX=^

The time format shows the correct regex in Splunk Web under Sourcetypes, so my props.conf gets loaded.

richgalloway · ‎08-11-2017

Try these props.conf settings.

[mysourcetype]
TIME_FORMAT=%d/%b/%Y:%H:%M:%S %z
TIME_PREFIX=\[

---
If this reply helps you, Karma would be appreciated.

View solution in original post

sbbadri · ‎08-11-2017

try below,

[mysourcetype]
TIME_FORMAT=\[%d/%b/%Y:%H:%M:%S %z\]
TIME_PREFIX=^\d+\.\d+\.+d\.\d+\s\S+\s\S+\s\[

richgalloway · ‎08-11-2017

It won't work with \[ in both TIME_PREFIX and TIME_FORMAT.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-11-2017

Try these props.conf settings.

[mysourcetype]
TIME_FORMAT=%d/%b/%Y:%H:%M:%S %z
TIME_PREFIX=\[

---
If this reply helps you, Karma would be appreciated.

oliverkunert · ‎08-16-2017

After I used your configuration the problem still persisted. After removing the date from extracted fields for the search it worked.

adonio · ‎08-11-2017

try and remove the square brackets around your time format

Splunk not recognizing the date format

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024