Splunk Search

How to extract date and time in Splunk?

DonDandrea
Path Finder

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below.

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you,
Don

Tags (3)
0 Karma

DonDandrea
Path Finder

I tried this and it worked for the entries that have a time. The entried that do not have time are indexed with the date the file was indexed. To be quite honest I don't care about the time. The entries are once a day. The date is the important piece.

0 Karma

lguinn2
Legend

As long as you keep the different sources in different input files or streams, you should be fine. But I think you will make yourself nuts if you mix more than one timestamp format in the same input.

For each input where you want to specify the time format, you will need an entry in props.conf

[source::/path/to/your/source/file.ext]
TIME_FORMAT=%m/%d/%y
MAX_TIMESTAMP_LOOKAHEAD = 50

This props.conf belongs on the indexer(s) that parse the data, not on the forwarders.

The MAX_TIMESTAMP_LOOKAHEAD is not required, but it is a good idea. I have set it so that it only examines the first 50 characters of the event for the timestamp.

More information here: How Splunk extracts timestamps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...