I have a data input with the following format for which I am struggling to extract the correct data for the SPLUNK event date and time.
MAIN|^0212345678-2|^6.75|^GBP|^2014-12-16|^2014-12-12 12:27:22|^1
The date time field I want to use for the event time is 2014-12-12 12:27:22 however SPLUNK seems to be using a combination of different fields to build the event date and time. For the above record it is deducing an event date and time of 2014-12-16 12:27:22. It seems to be deriving the date from field 5 and the time from field 7. Ultimately I would like the date and time to be derived only from field 7 i.e. 2014-12-12 12:27:22
I have tried various permutations of the following in my props.conf but still remain unsuccessful.
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=(?i)^(?:[^\^]*\^){7}
MAX_TIMESTAMP_LOOKAHEAD=50
Any ideas on what to try next would be much appreciated.
This works for me:
[event_sourcetype]
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^(?:[^\^\n]*\^){5}
MAX_TIMESTAMP_LOOKAHEAD=50
Make sure the event has a sourcetype associated and utilise that sourcetype name in the props.conf
This works for me:
[event_sourcetype]
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^(?:[^\^\n]*\^){5}
MAX_TIMESTAMP_LOOKAHEAD=50
Make sure the event has a sourcetype associated and utilise that sourcetype name in the props.conf
Thanks mzorzi for pointing me in the right direction. I guess I need to spend a bit more time with my regular expressions.