Timestamp configuration does not pull the correct ... - Splunk Community

Getting Data In

I am importing cisco logs that have two timestamps with different formats.
Unfortunately, configuration set in props.conf for the app is still not pulling extracting the correct date.
Here is a sample:

<splunk system timestamp> Aug 23 12:00:00 xxxx.org: <second timestamp> 2016 Sept 28 12:34:53 EDT

[test]
TIME_PREFIX = org :\s*
#TIME_FORMAT = %Y %b %d %H:%M:%S %Z
MAX_TIMESTAMP_LOOKAHEAD = 75

It seems to me, you do not need the TIME_PREFIX option, since the format of the different fields is, well, different.

You do want to use the TIME_FORMAT setting, which does look correct.

The TIME_PREFIX listed in your config would not work, due to the space in between the org and the :. You can correct the TIME_PREFIX , and your input should start working.

Please accept either answer if we have answered your question. Thanks!

Looks like there is a space between "org" and ":" in your props.conf TIME_PREFIX, but not in your data.

Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...