Re: The date has special characters in my logs wh...

simon21 · ‎05-19-2019

The log file of UTF-16LE is fetched in batch mode, but LRM (Left-to-Right Mark) is included in the date part in the log file and the date part can not be extracted correctly,
so in _time, different dates are coming in.
Raw data:

[1]0638.08C4::?2019?-?03?-?21 15:44:03.831 [Microsoft-Windows-DNSServer]QUERY_RECEIVED: TCP=0????????? IP=10.10.10.10????=10.10.10.4?RD=1?QNAME=test.net.?QTYPE=1?XID=38145????=56663????=256????? ???=0x950101000002345000000000116169636869737465656C73746F7261676504626C6F6204636F72650777696E646F7773036E65740000010001

Please notice the "?" between the dates format. How to I parse it correctly to capture the actual date in splunk?

Please help

koshyk · ‎05-19-2019

In props.conf, you need to configure timestamp extraction. https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Configuretimestamprecognition

[yoursourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 44
TIME_PREFIX = ::?
TIME_FORMAT = %Y?-?%m?-?%d %H:%M:%S.%3N

You may also need to configure other index time settings like linebreaker etc.

The date has special characters in my logs which is which the timestamp parsing is incorrect. could someone help me identify the conf changes needed to capture the timestamp?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...