Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TimeStamp translation

bc_unixadm
Explorer
‎07-26-2010 05:28 PM

I have a date and time timestamp that looks like DATABASE|20100226|123918|20100226|083918| and I want to extract the date and second time stamp (local not GMT). I have figured out that the changes would be to the props.conf, I am having trouble getting the correct format to get the date/time in the database correctly as this is the time of the event.

Any suggestions?

thanks

Tags (2)
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:08 AM

More precisely, in your case you want a props.conf that looks like this:

<spec>
TIME_PREFIX = ^\w+\|\d+\|\d+\|
TIME_FORMAT = %Y%m%d|%H%M%S

Check this doc page for more information on timestamp recognition

0 Karma
Reply

bc_unixadm
Explorer
‎07-26-2010 05:58 PM

Sorry, when I said that the changes go to the props.conf, from what I read that is where I should put in the code to get the information from the log. I am not 100% sure of that as I have not made many changes from the default collection that splunk does. If that is not what needs to be changed, please point me in the correct direction. The date/time format in my example is 20100226|083918 and I want that to show up as the event time of month/day/year and the time 083918 show up date 8:39:18 AM.

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-26-2010 05:45 PM

When you say you have figured out the changes would be in props.conf are you using TIME_PREFIX and TIME_FORMAT attributes? see example below.

Example: web proxy log
10.100.2.3, jdoe, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1), -, 9/17/2009, 9:01:00, -, hostname, props.conf

Specify what Splunk recognizes as a timestamp. Extract Date and Time at 4th and 5th comma delimited

TIME_PREFIX = ^(?:[^\,]+,){4}\s* # will find 9/17/2009 and 0:00:00 after 4th comma

Format time as month/day/year, hour:min:second

TIME_FORMAT = %m/%d/%Y, %H:%M:%S

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...