Solved: Can I have different timestamp formats using the s...

rune_hellem · ‎07-29-2014

Indexing a lot of SystemOut.log files from WebSphere I realize that all almost all log files uses the following time format

TIME_FORMAT = %m/%d/%y %H:%M:%S%3N %Z

But on some old servers the format is

TIME_FORMAT = %d/%m/%y %H:%M:%S%3N %Z

Is it possible for to use two formats for the same sourcetype? Or as an alternative can I create a "child sourcetype" with no other changes than the time_format?

strive · ‎07-29-2014

Yes it is possible by having your app specific datetime.xml

See this
http://answers.splunk.com/answers/11173/how-to-extact-multiple-timestamp-formats-for-syslog-input

Also, there is another website where they have some examples

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

View solution in original post

strive · ‎07-29-2014

Yes it is possible by having your app specific datetime.xml

See this
http://answers.splunk.com/answers/11173/how-to-extact-multiple-timestamp-formats-for-syslog-input

Also, there is another website where they have some examples

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

rune_hellem · ‎08-01-2014

For Windows users, worth noticing how to correctly define path to custom datetime.xml escaping backslashes. Took some time before I figured that one out (use double backslashes, it does not show here)

DATETIME_CONFIG = \\etc\\apps\\myapp\\local\\datetime.xml

tom_frotscher · ‎07-29-2014

I don't know if this works in your usecase. But you should be able to use a custom datetime.xml to solve this. Take a look at this: http://answers.splunk.com/answers/1807/2-different-timestamps-in-single-log

Can I have different timestamp formats using the same sourcetype?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes