I have a date and time timestamp that looks like DATABASE|20100226|123918|20100226|083918| and I want to extract the date and second time stamp (local not GMT). I have figured out that the changes would be to the props.conf, I am having trouble getting the correct format to get the date/time in the database correctly as this is the time of the event.
Any suggestions?
thanks
More precisely, in your case you want a props.conf that looks like this:
<spec>
TIME_PREFIX = ^\w+\|\d+\|\d+\|
TIME_FORMAT = %Y%m%d|%H%M%S
Check this doc page for more information on timestamp recognition
Sorry, when I said that the changes go to the props.conf, from what I read that is where I should put in the code to get the information from the log. I am not 100% sure of that as I have not made many changes from the default collection that splunk does. If that is not what needs to be changed, please point me in the correct direction. The date/time format in my example is 20100226|083918 and I want that to show up as the event time of month/day/year and the time 083918 show up date 8:39:18 AM.
When you say you have figured out the changes would be in props.conf are you using TIME_PREFIX and TIME_FORMAT attributes? see example below.
Example: web proxy log
10.100.2.3, jdoe, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1),
-, 9/17/2009, 9:01:00, -, hostname,
props.conf
Specify what Splunk recognizes as a timestamp. Extract Date and Time at 4th and 5th comma delimited
TIME_PREFIX = ^(?:[^\,]+,){4}\s* # will find 9/17/2009 and 0:00:00 after 4th comma
Format time as month/day/year, hour:min:second
TIME_FORMAT = %m/%d/%Y, %H:%M:%S