Splunk Dev

props.conf time format configuration

splunker9999
Path Finder

Hi ,

We need to add YYYY to my events through configuration files, how can we achieve this.

can some please give example of doing this.My sample logs looks like below

Here below, as logs doesn't have YYYY, data is not ingesting properly.

44168:M 15 Jul 00:58:45.288 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:45.288 - 10 clients connected (1 slaves), 675337520 bytes in use
44168:M 15 Jul 00:58:50.298 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:50.298 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:58:55.307 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:55.307 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:00.315 - 10 clients connected (1 slaves), 675337472 bytes in use
44168:M 15 Jul 00:59:05.326 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:05.326 - 10 clients connected (1 slaves), 675411168 bytes in use
44168:M 15 Jul 00:59:10.339 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:10.339 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:15.346 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:15.346 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:59:20.359 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:20.359 - 10 clients connected (1 slaves), 675337520 bytes in use
Tags (2)
0 Karma

woodcock
Esteemed Legend

Try this in props.conf:

[YourSourceTypeHere]
TIME_PREFIX = ^\d+:\w+\s+
TIME_FORMAT = %d %b %H:%M:%S.%3N

If the year is missing, then Splunk will assume "this year" (or "last year" if in January and it sees December stuff), so long as you are not sending in stuff that is months old. Put this on your indexers and restart splunk instances there and then all NEW data will be correct (old data will stay wrong).

0 Karma

twinspop
Influencer

Specify the time format in props.conf explicitly (without year) and it should work fine. Something like:

[yoursourcetype]
TIME_PREFIX = ^\d+:M
TIME_FORMAT = %d %b %T.%3n

Splunk will assume the current year at the time of indexing in this case I believe.

0 Karma

woodcock
Esteemed Legend

Why do you think that you need this?

0 Karma

splunker9999
Path Finder

Because, while ingesting data..since my logs does not have Year, Splunk is not ingesting any data except the time frame (00:00:00 to 00:59:59).

Since it does not have year , it is considering Hour as date and we are getting incorrect time 
    sample logs be;low

Time Format as 1:58:50 --- Time it considered as 7/13/15 .But it shoud be as 7/15/2016.

7/13/15 1:58:50.298 PM 44168:M 15 Jul 1:58:50.298 - 10 clients connected (1 slaves), 675337448

7/16/15 4:59:00.315 PM 44168:M 15 Jul 4:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I think an easy way that could then be easily changed in the future would be by using SEDCMD

SEDCMD-year = s/:M/:M 2016/g

0 Karma

splunker9999
Path Finder

I would need to do this in timeFormat in props.conf?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yes indeed
And then reload data

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...