Getting Data In

how to get splunk to read the correct date and time from events?

remy06
Contributor

Hi,

How do I get splunk to show the date and time correctly based on the event?For example if I have the following event from oracle logs:

RETURNCODE=0,OS_PROCESS=1671350,EXTENDED_TIMESTAMP="22/07/10 12:55:50.251291 PM +08:00",TO_CHAR(EXTENDED_TIMESTAMP,'MM="07/22/2010 12:55:50",OS_USERNAME=,USERNAME=,USERHOST=,OBJ_NAME=,SCN=,ACTION=,TRANSACTIONID=,ACTION_NAME=""

Splunk is displaying the incorrect date as:
10/12/07 <-- translate to year 2007..
12:55:50.565 PM

Some events may translate with incorrect time as well.

Have tried using "DATETIME config=current" in props.conf,but still there is a time differences as the splunk and oracle server time is not in sync.

Any idea?

1 Solution

Genti
Splunk Employee
Splunk Employee

remy you can try something like this:

[source::e:\logs\yourlogs\*]
MAX_TIMESTAMP_LOOKAHEAD = 75
TIME_FORMAT = %d/%m/%y %H:%M:%S

Here are the docs on this, read them for more knowledge on how to deal with this: Configure Timestamp Recognition

Cheers,
.gz

View solution in original post

0 Karma

Genti
Splunk Employee
Splunk Employee

remy you can try something like this:

[source::e:\logs\yourlogs\*]
MAX_TIMESTAMP_LOOKAHEAD = 75
TIME_FORMAT = %d/%m/%y %H:%M:%S

Here are the docs on this, read them for more knowledge on how to deal with this: Configure Timestamp Recognition

Cheers,
.gz

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...