Getting Data In

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

efcasado
New Member

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.

I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z

This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):

[syslog]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false

This is how Splunk is outputing my log messages:

2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message

As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone

%Y-%m-%dT%H:%M:%S.%6N%z

Bye.
Giuseppe

0 Karma

koshyk
Super Champion

can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...