Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

efcasado
New Member
‎05-09-2017 01:12 PM

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.

I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z

This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):

[syslog]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false

This is how Splunk is outputing my log messages:

2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message

As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.

0 Karma
Reply

gcusello
Legend
‎05-10-2017 07:25 AM

Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone

%Y-%m-%dT%H:%M:%S.%6N%z

Bye.
Giuseppe

0 Karma
Reply

koshyk
Super Champion
‎05-09-2017 01:58 PM

can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!