Hello,
I'm having trouble extracting the following timestamp for one source, is there someone here that can recommend what values to put into the $SPLUNK_HOME/etc/system/default/local file under the TIME_FORMAT attribute?
Dec 3 2019 12:59AM
I have set TIME_FORMAT to be %b %#d %Y %l:%M%p but it is ignoring the AM or PM
I am getting an error could not use strptime to parse timestamp from | xyz.com | 94 | 2051 | 436 | 0 | 21 | | Dec 3 2019 12:59AM | destructive |
and it is returning this is the timestamp 12/3/19 12:59:00.000 PM
Thank you
in props.conf
[yoursourcetype]
TIME_FORMAT = %b %d %Y %I:%M%p
I gave it a shot unfortunately it didn't work.
I have tried this also ( this is based on the splunk date time doc ) with no luck. Any other ideas?
%b %e %Y %l:%M%p
logs
| xyz.a | 94 | 3100 | 2605 | 0 | 84 | | Dec 3 2019 1:01AM | destructive |
| xyz.b| 94 | 45476 | 31607 | 1 | 70 | 166428 | Dec 3 2019 1:25AM | keeponline |
| xtf.j| 94 | 3100 | 3044 | 0 | 98 | | Dec 3 2019 1:02AM | destructive |