Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

french timestamp not understood

pfoucher
Engager
‎11-18-2014 06:33 AM

Hello,
I have a log where the timestamp is written with a abbreviated name for the month. My problem is that the abreviation is a french one and splunk does not understand it.
Example : (déc for december)
01-déc-10|15:28:16.0| xxxx
01-déc-10|15:59:38.3| yyy
As a consequence, all the lines are appended into a single event.
I tried to modify the file datetime.xml, but it didn't work.
Can someone help me ?
Thank you

Tags (1)
Reply

raz_gp
Explorer
‎12-22-2023 01:14 AM

having the same issue for weekdays and month dates. 
Is this something that will happen or we need to fix it ourselves creatively ?


mer. 13 déc. 2023 23:31:20 CET file_hash=96def1...
mar. 19 déc. 2023 22:06:55 CET user=x ... 
mar. 19 déc. 2023 09:16:13 CET user=y ...

0 Karma
Reply

gfuente
Motivator
‎11-21-2014 06:52 AM

Hello

This is officially not supported:

Note: Splunk Enterprise does not currently recognize non-English month names in timestamps. If you have an app that writes non-English month names to log files, reconfigure the app to use numerical months, if possible.

From: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Regards

Reply

lmyrefelt
Builder
‎11-18-2014 07:24 AM

The following should work;

in props.conf

["your-sourcetype"]
DATETIME_CONFIG = ("path")/etc/apps/"app-name"/"path"/datetime.xml

inside datetime.xml, under lithmonth / _litmonth

dec|déc

... Well to be honest .. i have not tried using charachters like åæøø yet .. but ...

restart of course

here comes some additional good information;

http://blogs.splunk.com/2014/04/23/its-that-time-again/
http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/

0 Karma
Reply

lmyrefelt
Builder
‎11-21-2014 06:28 AM

Might be something for an enchantment request? Or the support to help u with ?

Either way .. it should be "best practies" to keep the goods in english 😉 and no puny åæøèé whatever .. makes live easier

0 Karma
Reply

pfoucher
Engager
‎11-20-2014 08:54 AM

I tried to modify the datetime.xml file as with your example, but it didn't work. Splunk does not recognize the "é" character, and displays \xE9 instead. This character belongs to UTF-8, it should be recognized, isn't it ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...