Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

french timestamp not understood

pfoucher
Engager
‎11-18-2014 06:33 AM

Hello,
I have a log where the timestamp is written with a abbreviated name for the month. My problem is that the abreviation is a french one and splunk does not understand it.
Example : (déc for december)
01-déc-10|15:28:16.0| xxxx
01-déc-10|15:59:38.3| yyy
As a consequence, all the lines are appended into a single event.
I tried to modify the file datetime.xml, but it didn't work.
Can someone help me ?
Thank you

Tags (1)
Reply

raz_gp
Explorer
‎12-22-2023 01:14 AM

having the same issue for weekdays and month dates. 
Is this something that will happen or we need to fix it ourselves creatively ?


mer. 13 déc. 2023 23:31:20 CET file_hash=96def1...
mar. 19 déc. 2023 22:06:55 CET user=x ... 
mar. 19 déc. 2023 09:16:13 CET user=y ...

0 Karma
Reply

gfuente
Motivator
‎11-21-2014 06:52 AM

Hello

This is officially not supported:

Note: Splunk Enterprise does not currently recognize non-English month names in timestamps. If you have an app that writes non-English month names to log files, reconfigure the app to use numerical months, if possible.

From: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Regards

Reply

lmyrefelt
Builder
‎11-18-2014 07:24 AM

The following should work;

in props.conf

["your-sourcetype"]
DATETIME_CONFIG = ("path")/etc/apps/"app-name"/"path"/datetime.xml

inside datetime.xml, under lithmonth / _litmonth

dec|déc

... Well to be honest .. i have not tried using charachters like åæøø yet .. but ...

restart of course

here comes some additional good information;

http://blogs.splunk.com/2014/04/23/its-that-time-again/
http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

0 Karma
Reply

lmyrefelt
Builder
‎11-21-2014 06:28 AM

Might be something for an enchantment request? Or the support to help u with ?

Either way .. it should be "best practies" to keep the goods in english 😉 and no puny åæøèé whatever .. makes live easier

0 Karma
Reply

pfoucher
Engager
‎11-20-2014 08:54 AM

I tried to modify the datetime.xml file as with your example, but it didn't work. Splunk does not recognize the "é" character, and displays \xE9 instead. This character belongs to UTF-8, it should be recognized, isn't it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...