Is the configuration for my timestamp correct?

patriziadepaola · ‎12-07-2016

I have a problem with the right extraction of timestamp in a log file. The string example of my log :

161206 152835 LNX64 3 PWX-36145 ORAD Info Mbr 2: +   Low SCN 6120947915182. Low SCN Time 12/06/2016 14:58:17.
161206 152835 LNX64 3 PWX-36146 ORAD Info Mbr 2: +   Next SCN 6120950880737. Next SCN Time 12/06/2016 15:27:58.
161206 152900 LNX64 3 PWX-36117 ORAD Info Mbr 3: Reader is waiting for log sequence 36736 with start SCN 6120950700533 to be archived.
161206 152908 LNX64 3 PWX-36440 ORAD Info: Monitor messages begin (2016/12/06 15:29:08).
161206 152908 LNX64 3 PWX-36441 ORAD Info: Interval return counts: no data 114, commits 32717, inserts 35394, updates 5898, deletes 118.
161206 152908 LNX64 3 PWX-36442 ORAD Info: Interval TMGR counts: no data 124, transaction control 529871, operations 109033, other 0.

this my props.conf :

[etl-pwxccl_log2]
CHARSET = UTF-8
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD = 14
TIME_FORMAT = %Y%m%d %H%M%S
SHOULD_LINEMERGE = false
disabled = false
REPORT-pwxccl = etl-pwxxccl-fields

this my transforms.conf:

[etl-pwxxccl-fields]
REGEX=  ^(?P\d+)\s+(?P\d+)\s+(?P.+) 

FORMAT = DATA::"$1" ORA::"$2" MESSAGE::"$3"

WRITE_META=1

With this configuration the extraction of date is correct but is the time incorrect (recovered in other places of the log line?)

Can someone help me?

sundareshr · ‎12-07-2016

Since its 2-digit year (YY), try lower case %y. Like this %y%m%d %H%M%S

Is the configuration for my timestamp correct?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life