Hello...
I'm having some trouble in indexing some log files, because of the format they are.
Example:
11/12 22:54:31.87:8becc368:02:00:sradisk : verify requests 7629376 (645/sec)
As you can see, there's no year on the date. The format is Month/Date only.
My problem is, Splunk is indexing this like:
12/22/11
10:54:31.800 PM
So, It's getting the hour of the event and using it as the day. Getting the month and using it as a year, and the day becomes the month!
I'm wondering if there's a way to solve this, since some of my logs normally does not have the year field.
Thanks a lot,
Thiago
Not too sure if this applies here, but you could use this;
rename "date_mday" as "Day" "_time" as "Time" | convert timeformat=%H.%M ctime(Time) |table Day, Time
What this does is puts it in a table, but it will still show if you click visualization. Obviously this would require some editing but you could use something similar.
Hi,
I had a similar problem and the following worked for my case:
TZ = Europe/Dublin
TIME_FORMAT = %m/%d %H:%M:%S
EXTRACT-fields = (?im)^((?P<TIMESTAMP>\d{2}/\d{2}\s\d{2}:\d{2}:\d{2})\s
in the props.conf file
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
the only .conf files that exist by default upon installation of Splunk are the ones in /etc/system/default.
you must create your own copy of the relevant .conf file in /etc/system/local to define personal settings. in this particular case, you should first read:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles for information on how to use configuration files
and then read:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition for specifics on timestamping issues
Hi there!
Sorry, but I'm new to Splunk. Where should I put those lines?
I'm trying to find the file that I can define the personal filters, but can't found it.
Thanks.