Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time is not getting extracted properly ?

lohitkidu
Path Finder
‎03-07-2016 02:54 AM

Hi All,

I am not able to extract time format from events like below

07/03/2016 Mon Mar 7 10:42:25 2016 Info: End Logfile
10:42:31.000

As it can be seen original time is 10.42.25 whereas splunk is parsing time as 10:42:31.000 . It is off by 6 seconds and it varies among other events how much it is getting off by. Below is my props.conf for this sourcetype:
[abc]
TIME_PREFIX=^
TIME_FORMAT=%c

But it is not working . What am i doing wrong ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-07-2016 07:09 PM

"07/03/2016 Mon Mar 7 10:42:25"

Could be matched by 

[abc]
TIME_PREFIX=^
TIME_FORMAT=%d/%m/%Y %a %b %H:%M:%S

Derived from careful study of the date and time format variables. I'm not 100% positive %c matches that. (I generally try to not use 'magic' variables in those, because magic is a bit fiddly and has a way of biting the hand that's feeding it.)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lohitkidu
Path Finder
‎03-07-2016 08:22 PM

Correct rich7177. Seems like %c is not working here. I do not know why

I have matched it with
TIME_FORMAT=%a %b %d %H:%M:%S %Y

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-07-2016 07:09 PM

"07/03/2016 Mon Mar 7 10:42:25"

Could be matched by 

[abc]
TIME_PREFIX=^
TIME_FORMAT=%d/%m/%Y %a %b %H:%M:%S

Derived from careful study of the date and time format variables. I'm not 100% positive %c matches that. (I generally try to not use 'magic' variables in those, because magic is a bit fiddly and has a way of biting the hand that's feeding it.)

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎03-07-2016 10:13 AM

Hi there

Thats weird mate, what Splunk version are you running ? Because timestamp recognition works just fine for me on 6.2.3 & 6.3.0

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...