Splunk Search

How to extract date and time in Splunk?

DonDandrea
Path Finder

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below.

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you,
Don

Tags (3)
0 Karma

DonDandrea
Path Finder

I tried this and it worked for the entries that have a time. The entried that do not have time are indexed with the date the file was indexed. To be quite honest I don't care about the time. The entries are once a day. The date is the important piece.

0 Karma

lguinn2
Legend

As long as you keep the different sources in different input files or streams, you should be fine. But I think you will make yourself nuts if you mix more than one timestamp format in the same input.

For each input where you want to specify the time format, you will need an entry in props.conf

[source::/path/to/your/source/file.ext]
TIME_FORMAT=%m/%d/%y
MAX_TIMESTAMP_LOOKAHEAD = 50

This props.conf belongs on the indexer(s) that parse the data, not on the forwarders.

The MAX_TIMESTAMP_LOOKAHEAD is not required, but it is a good idea. I have set it so that it only examines the first 50 characters of the event for the timestamp.

More information here: How Splunk extracts timestamps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...