Source using ISO Date

cvajs · ‎04-03-2012

v4.3.1 on sles 11.1

i have some syslog-ng data, written to file as template("$DATE $TZ $WEEKDAY $ISODATE $HOST $FACILITY [$LEVEL] $MSG\n")

when i try to create a new source and use ISO Date YYYY-MM-DDTHH:MM:SS.MMM-HH:MM for timestamp format it doesnt find the pattern, keeps locking onto the $DATE format.

why?

sowings · ‎04-03-2012

You'll want to look at props.conf, specifically TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD and maybe TIME_FORMAT.

sowings · ‎04-05-2012

In the Manager when defining a new sourcetype (in particular, the timestamp tab), TIME_PREFIX corresponds to "Timestamp is always prefaced by a pattern". Since you're writing a "normal" syslog timestamp first, Splunk is finding that. You'll need to specify a regex pattern that matches the "normal" time stamp, so that Splunk will look past this prefix to find the ISO time stamp instead.

TIME_FORMAT is the "Specify timestamp format (strptime)" text entry box. I've successfully used %Y-%m-%dT%H:%M:%S%z.

cvajs · ‎04-04-2012

i was using the GUI to create a new source definition, etc. when i went to timestamp tab i could not get the GUI to recognize the iso date in the data.

Source using ISO Date

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor