Solved: _time improper format

kannu · ‎03-01-2018

Hello splunkers,

I have logs in my file
01-03-2018 15:54:58 WARNING [PID:88888][TradeId:11551427] /apps/abcrc/src/check/src/mx_rtpr.cpp:1146 - Sanity Check Exception void sanity_check(void*, rtPRICING_API_LIBRARY*)@/apps/abcrc/Flex/src/mx_rtpr.cpp:1034:End date not equal to option expiry date

that log is of 1st march 2018 but splunk has taken it as a log of 3 January 2018 , please suggest how to manipulate _time field so that my new data or existing data will come in proper time format .

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

View solution in original post

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

skoelpin · ‎03-01-2018

It would also be good to specify TIME_PREFIXand MAX_TIMESTAMP_LOOKAHEAD so splunk knows where the timestamp is located

[sourcetype_name]
TIME_PREFIX = ^
TIME_FORMAT = %d-%m-%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20

_time improper format

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation