This is common with some uses of IBM Websphere I have seen timestamps that look like this:
[12/14/11 1:00:00:115 PST] hello
[12/14/11 1:00:00:117 PST] goodbye
[12/14/11 1:00:00:114 PST] whatever
[12/14/11 1:08:00:117 PST] super
[12/14/11 0:07:00:113] star
[12/14/11 0:06:00:117 PST] who
[12/14/11 0:04:00:118 PST] cares
(notice above, some have timezone, and some do not)
In this case, a custom "datetime.xml" will solve it. ($SPLUNK_HOME/etc/datetime.xml has all the default config for timestamp extraction patterns). Its not rocket science to make you're own, you just have to write a simple regex for it.
You'll need to edit two files. "props.conf" which you may already edit from time to time, and a file that contains a new datetime config, in this case we'll call it "ninjadatetime.xml".
props.conf will need to reference the location of "ninjadatetime.xml" as the setting for the DATETIME_CONFIG entry. It will now ignore splunk's defaults and take the new pattern we've created.
ninjadatetime.xml --- has a definition for the "order in which splunk will assign parts of a date and a time", and the corresponding regex, matching and capturing each appropriate component of the date and the time.
If your events have no timestamp, you also may want to set the timezone as well (as i have below).
FILE -> props.conf
DATETIME_CONFIG = /etc/apps/search/local/ninjadatetime.xml
TIME_FORMAT = %m/%d/%y %k:%M:%S:%3f
TZ = America/Chicago
FILE -> ninjadatetime.xml
<!-- we're using Splunk's default timezone extraction regex below-->
<define name="_zone" extract="zone">
<!--this pattern captures all of the time/date info, and then uses the above patterns to gather timezone.-->
<define name="_wsdatewzone" extract="month, day, year,hour,minute,second,subsecond,zone">
<!--this pattern captures all of the time/date info but no timezone as one is not present-->
<define name="_wsdatenozone" extract="month, day, year,hour,minute,second,subsecond">
... View more