Splunk Search

How do I get Splunk to recognize the full Date AND Time in the timestamp of this CSV?

jimmitch923
New Member

Event lines look like this
{I5K5-M8HD47HI-6694GOIH},01/02/2010 07:13:39,NLR0174,PC-8272,Connect

Everything I've tried only recognizes the time...but not the date.
TIME_FORMAT = %d/%m/%Y %H:%M:%S
TIME_PREFIX = {.+}\,

Help please!

Tags (1)
0 Karma

Jeremiah
Motivator

Are the dates really that old? You may need to increase MAX_DAYS_AGO. Does it work differently for more recent timestamps?

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an
  extracted date can be valid. Splunk still indexes events with dates older
  than MAX_DAYS_AGO with the timestamp of the last acceptable event. If no 
  such acceptable event exists, new events with timestamps older than MAX_DAYS_AGO 
  will use the current timestamp.
* For example, if MAX_DAYS_AGO = 10, Splunk applies the timestamp of the last 
  acceptable event to events with extracted timestamps older than 10 days in 
  the past. If no acceptable event exists, Splunk applies the current timestamp.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.
0 Karma

sheron_splunk
Splunk Employee
Splunk Employee

Have you tried using MAX_TIMESTAMP_LOOKAHEAD=19 ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...