Am trying to index log entries there the time stamp information is at the starting of the first line of each log entry.
Sample timestamps from entries in a couple of types of associated log files are:
[7/17/10 4:24:53:269 CST] 00000048 SystemErr . . .
[10/5/11 11:55:08:992 PDT] 00000029 SystemOut . . .
[11/30/11 8:09:06:400 PST] 0000006e SystemOut . . .
[12/9/11 0:52:10:743 PST] 0000000a ResourceMgrIm . . .
2/17/10 02:38:11 AM CST [INFO] [...Agent] . . .
10/28/10 08:29:01 PM CDT [ERROR] [...Agent.Properties] . . .
12/09/10 10:08:33 PM CST [WARN] [...Agent] . . .
11/30/11 08:11:08 PM PST [INFO] [...Agent] . . .
This is obviously ambiguous in form for date ( since 11/9/10 fould be year 2010 or 2011.
Have tried the following but doesn't work with recent entries at least those form of 1st 4 from today. Splunk doesnt recognize the time stamp. Am suspecting an issue with the day portion since only a single digit. Can't seem to find if there is a day designator form that allows for a single digit.
In Applications's props.conf file:
[host::sample]
TIME_PREFIX = ^.
MAX_TIMESTAMP_LOOKAHEAD = 22
TIME_FORMAT = %y/%d/%m %k%M%S
Anyone have some good suggestions?
See my answer to a similar question
hth,
Kristian