That's a very special way of doing time. Your absolute best thing is if you can just ask the owners of the app to fix this. They could likely just write them as strings and it'll not do it any more, it's really not a big or hard change. But surely even they can look at that "timestamp" and see that something's not right. Sometimes asking nicely....
If that isn't possible...
Some up front admissions and caveats: I'm completely happy if someone with a more thorough understanding of how this works wants to take what little I have here and fix it and otherwise clean it up and make it totally right, then claim that answer as their own. I'm no expert, but maybe this will steer you in the right direction. I'm SURE if you can make it work your way is better eve if only because it bends sanity into fewer pretzels, but I think (don't know - only think) that the replacements you are thinking of doing happen after timestamps are done. Maybe you can get it with SEDCMD in props, though. (That's a free tip there for you!) But, if that doesn't work...
You will likely need to create a new datetime.xml (call it, perhaps, @$splunkhome/etc/system/local/mydatetime.xml) and reference that from a props.conf entry (search for the second DATETIME_CONFIG in props.conf). Here's an answer where someone does that.
What you'll need in there is a bit less than well documented, and *there's a big problem I'll go into more detail later on * that I don't have time to puzzle out or test right now, but hopefully it'll just work. Anyway, what I think you'll need is each of the three types of timestamps in there.
^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})\|
^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})(\d{2})\|
^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})(\d{2})(\d{2})\|
Those match, in order, year month day | seconds , year month day | minutes seconds and year month day | hours minutes seconds . But where do those entries go?
Well, obviously, the file is $splunkhome/etc/system/local/mydatetime.xml but far less obviously, its contents might be something like
<datetime>
<define name="hourminsec" extract="year, month, day, hour, minute, second">
<text><![CDATA[^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})(\d{2})(\d{2})\|]]></text>
</define>
<define name="minsec" extract="year, month, day, minute, second">
<text><![CDATA[^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})(\d{2})\|]]></text>
</define>
<define name="sec" extract="year, month, day, second">
<text><![CDATA[^[^|]+\|[^|]+\|(\d{4})(\d{2})(\d{2})\|(\d{2})\|]]></text>
</define>
<timePatterns>
<use name="hourminsec"/>
<use name="minsec"/>
<use name="sec"/>
</timePatterns>
<datePatterns>
<use name="hourminsec"/>
<use name="minsec"/>
<use name="sec"/>
</datePatterns>
</datetime>
That along with a lot of sweating and staring at docs pages and a liberal sprinkling of hope may do it. Barely.
I just realized, "sweating" and "swearing" are only one letter apart. Hmm...
BUT THE PROBLEM - see, you knew I'd bring this back up! I don't know if a) having no hour will work AT ALL, nor do I know b) if it does work, if it substitutes in the CURRENT hour or minute or if it substitutes in zero. My guess is IF it works at all it'll do the current time. But it could also substitute in the modified time of the file - I really don't know and it's not documented as far as I can tell. It could be worth a try, though.
... View more