Solved: Time is not getting extracted properly ?

lohitkidu · ‎03-07-2016

Hi All,

I am not able to extract time format from events like below

07/03/2016 Mon Mar 7 10:42:25 2016 Info: End Logfile
10:42:31.000

As it can be seen original time is 10.42.25 whereas splunk is parsing time as 10:42:31.000 . It is off by 6 seconds and it varies among other events how much it is getting off by. Below is my props.conf for this sourcetype:
[abc]
TIME_PREFIX=^
TIME_FORMAT=%c

But it is not working . What am i doing wrong ?

Richfez · ‎03-07-2016

"07/03/2016 Mon Mar 7 10:42:25"

Could be matched by

[abc]
TIME_PREFIX=^
TIME_FORMAT=%d/%m/%Y %a %b %H:%M:%S

Derived from careful study of the date and time format variables. I'm not 100% positive %c matches that. (I generally try to not use 'magic' variables in those, because magic is a bit fiddly and has a way of biting the hand that's feeding it.)

View solution in original post

lohitkidu · ‎03-07-2016

Correct rich7177. Seems like %c is not working here. I do not know why

I have matched it with
TIME_FORMAT=%a %b %d %H:%M:%S %Y

Richfez · ‎03-07-2016

"07/03/2016 Mon Mar 7 10:42:25"

Could be matched by

[abc]
TIME_PREFIX=^
TIME_FORMAT=%d/%m/%Y %a %b %H:%M:%S

Derived from careful study of the date and time format variables. I'm not 100% positive %c matches that. (I generally try to not use 'magic' variables in those, because magic is a bit fiddly and has a way of biting the hand that's feeding it.)

alemarzu · ‎03-07-2016

Hi there

Thats weird mate, what Splunk version are you running ? Because timestamp recognition works just fine for me on 6.2.3 & 6.3.0

Time is not getting extracted properly ?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes