Solved: Re: _time improper format

kannu · ‎03-01-2018

Hello splunkers,

I have logs in my file
01-03-2018 15:54:58 WARNING [PID:88888][TradeId:11551427] /apps/abcrc/src/check/src/mx_rtpr.cpp:1146 - Sanity Check Exception void sanity_check(void*, rtPRICING_API_LIBRARY*)@/apps/abcrc/Flex/src/mx_rtpr.cpp:1034:End date not equal to option expiry date

that log is of 1st march 2018 but splunk has taken it as a log of 3 January 2018 , please suggest how to manipulate _time field so that my new data or existing data will come in proper time format .

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

View solution in original post

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

skoelpin · ‎03-01-2018

It would also be good to specify TIME_PREFIXand MAX_TIMESTAMP_LOOKAHEAD so splunk knows where the timestamp is located

[sourcetype_name]
TIME_PREFIX = ^
TIME_FORMAT = %d-%m-%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20

_time improper format

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update