Solved: how to get splunk to read the correct date and tim...

remy06 · ‎07-22-2010

Hi,

How do I get splunk to show the date and time correctly based on the event?For example if I have the following event from oracle logs:

RETURNCODE=0,OS_PROCESS=1671350,EXTENDED_TIMESTAMP="22/07/10 12:55:50.251291 PM +08:00",TO_CHAR(EXTENDED_TIMESTAMP,'MM="07/22/2010 12:55:50",OS_USERNAME=,USERNAME=,USERHOST=,OBJ_NAME=,SCN=,ACTION=,TRANSACTIONID=,ACTION_NAME=""

Splunk is displaying the incorrect date as:
10/12/07 <-- translate to year 2007..
12:55:50.565 PM

Some events may translate with incorrect time as well.

Have tried using "DATETIME config=current" in props.conf,but still there is a time differences as the splunk and oracle server time is not in sync.

Any idea?

Genti · ‎07-22-2010

remy you can try something like this:

[source::e:\logs\yourlogs\*]
MAX_TIMESTAMP_LOOKAHEAD = 75
TIME_FORMAT = %d/%m/%y %H:%M:%S

Here are the docs on this, read them for more knowledge on how to deal with this: Configure Timestamp Recognition

Cheers,
.gz

View solution in original post

Genti · ‎07-22-2010

remy you can try something like this:

[source::e:\logs\yourlogs\*]
MAX_TIMESTAMP_LOOKAHEAD = 75
TIME_FORMAT = %d/%m/%y %H:%M:%S

Here are the docs on this, read them for more knowledge on how to deal with this: Configure Timestamp Recognition

Cheers,
.gz

how to get splunk to read the correct date and time from events?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases