Splunk Search

How to get splunk to read currect date from the event?

zyxcc
New Member

Hi,

I am new in Splunk. Now, I am facing a problem.
The date in every event is as the following:

12/10/22

The splunk cannot read the date, then it displays the time when the file creates.
I have tried to add the TIME_FORMAT = %y/%m/%d in props.conf.
But it doesn't work. Is there anything I did wrong? Any idea? Thanks.

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I've personally had trouble with date-only "time"stamps in the past as well, and my fix was to add a bogus 00:00:00 time to the date. That way you have a much easier task of getting the event dated correctly.

This may be possible with a SEDCMD in props.conf (something along the lines of s/(\d\d\/\d\d\/\d\d)/\1 00:00:00/), but I'm not 100% certain whether it gets applied before or after timestamp parsing. You should give it a try.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I've personally had trouble with date-only "time"stamps in the past as well, and my fix was to add a bogus 00:00:00 time to the date. That way you have a much easier task of getting the event dated correctly.

This may be possible with a SEDCMD in props.conf (something along the lines of s/(\d\d\/\d\d\/\d\d)/\1 00:00:00/), but I'm not 100% certain whether it gets applied before or after timestamp parsing. You should give it a try.

martin_mueller
SplunkTrust
SplunkTrust

You can try the sed script I posted earlier together with the SEDCMD setting in props.conf. An in-depth documentation is here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles#Through...

0 Karma

zyxcc
New Member

Yes. It works. But how to add time (00:00:00) to all the events' date? I just test for only one event.

0 Karma

DaveSavage
Builder

Zyxcc, apologies - I stand corrected (thanks martin_m).
There is a TIME_PREFIX to be found in props.conf which tells Splunk where to start matching from and another parameter MAX_TIMESTAMP_LOOKAHEAD to span how many characters it should look for a timestamp. I'd backup the file and edit a new version into your /local and try a few combinations of those.
Sorry I can't be of more help - You data example looks pretty simple unless its an extract of a larger event. P160-164 of the Splunk Data manual has more.

0 Karma

zyxcc
New Member

Don't have time. Here is the example of an event in my file.
AJOEY ,Y ,Y ,Y ,Y , ,12/10/22

The date is without time. How can the splunk read the date?
Thanks!

0 Karma

DaveSavage
Builder

Year %Y should be in upper case zyxcc, month and day are lower, hours minutes etc upper.

0 Karma

zyxcc
New Member

Yes. And there is no time, either.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The upper case %Y does not help here, he doesn't have "2012" but only "12". That's the lowercase %y.

0 Karma

Drainy
Champion

a paste of an example event and your entire props may be helpful

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is there a time as well?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...