Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract date time from log entries

muriloalves
Explorer
‎05-03-2017 09:38 AM

I have the following log structure from which I want to index date time properly. 

INFO   :20170503:11.21.54.48:XYZWX ABC123:[MESSAGE 123456]
INFO   :20170503:11.21.54.54:XYZWX ABC123:[MESSAGE 123456]
INFO   :20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]
WARNING:20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]
WARNING:20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]

I tried to add this to my props.conf - but cannot get this done right.

[mysourcetype]
TIME_PREFIX = :
TIME_FORMAT = %y%m%d:%H.%M.%S

I'm not really good at regex , so if you guys are able to help me I will appreciate.

Thanks,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2017 10:32 AM

TIME_FORMAT doesn't use regex.

Try TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2017 10:32 AM

TIME_FORMAT doesn't use regex.

Try TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

muriloalves
Explorer
‎05-03-2017 03:09 PM

This is how the final solution looks like.
Thanks all for helping me to get it done.

[my_logs]
TIME_PREFIX = ^\w+\s+:
TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N
MAX_TIMESTAMP_LOOKAHEAD = 20

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-03-2017 12:38 PM

Would suggest adding this as well to your props.conf

TIME_PREFIX = ^\w+\s+\:
0 Karma
Reply
Solved! Jump to solution

muriloalves
Explorer
‎05-03-2017 01:36 PM

this is what i setup on my props.conf on the indexer app

[my_logs]
TIME_PREFIX = ^\w+\s+:
TIME_FORMAT = %y%m%d:%H.%M.%S.%2N
MAX_TIMESTAMP_LOOKAHEAD = 20

still no luck , getting the timestamp data was indexed

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-03-2017 01:44 PM

YOu need to use the exact string provided by @richgalloway (you're using lower-case y for year, which is used for 2 digit year, your data has 4 digit year so you should be using upper-case Y in TIME_FORMAT.

0 Karma
Reply
Solved! Jump to solution

muriloalves
Explorer
‎05-03-2017 02:43 PM

thanks a lot for that, it was exactly it was missing.
had gone thru that mask many times and missed it.
thanks a lot guys 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...