Re: correct TIME_FORMAT for time stamp

Melstrathdee · ‎12-08-2019

Hello,
I'm having trouble extracting the following timestamp for one source, is there someone here that can recommend what values to put into the $SPLUNK_HOME/etc/system/default/local file under the TIME_FORMAT attribute?

Dec 3 2019 12:59AM

I have set TIME_FORMAT to be %b %#d %Y %l:%M%p but it is ignoring the AM or PM

I am getting an error could not use strptime to parse timestamp from | xyz.com | 94 | 2051 | 436 | 0 | 21 | | Dec 3 2019 12:59AM | destructive |

and it is returning this is the timestamp 12/3/19 12:59:00.000 PM

Thank you

thambisetty · ‎12-08-2019

in props.conf

[yoursourcetype]
TIME_FORMAT = %b %d %Y %I:%M%p

————————————
If this helps, give a like below.

Melstrathdee · ‎12-09-2019

I gave it a shot unfortunately it didn't work.

I have tried this also ( this is based on the splunk date time doc ) with no luck. Any other ideas?
%b %e %Y %l:%M%p

logs
| xyz.a | 94 | 3100 | 2605 | 0 | 84 | | Dec 3 2019 1:01AM | destructive |
| xyz.b| 94 | 45476 | 31607 | 1 | 70 | 166428 | Dec 3 2019 1:25AM | keeponline |
| xtf.j| 94 | 3100 | 3044 | 0 | 98 | | Dec 3 2019 1:02AM | destructive |

correct TIME_FORMAT for time stamp

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability