Splunk Search

Date Parsing

dmrhodes101
Explorer

Hi all

I have the following in a log file that we're passing to Splunk:

Log for 03/07/2012 06:47:43

The date is being parsed as 07/03/2012 so we added:

TIME_PREFIX = "Log for "

TIME_FORMAT = %d/%m/%Y %H:%M:%S

to PROPS.CONF

I'm still getting 07/03 and also a "Could not use strptime to parse timestamp".

Can anyone assist?
Thanks

Tags (1)
0 Karma

dmrhodes101
Explorer

Hi,

I changed the PROPS.CONF file to read:

[EDICOMMS]

NO_BINARY_CHECK = 1

pulldown_type = 1

TIME_PREFIX = Log for

TIME_FORMAT = %d/%m/%Y %H:%M:%S

SHOULD_LINEMERGE = TRUE

BREAK_ONLY_BEFORE = Log for

And that fixed my problem.

Dave

0 Karma

elaine0102
Explorer

Glad that you managed to solve it.
However, it could not solve mine.
Thank you for replying 🙂

0 Karma

dmrhodes101
Explorer

Now trying to create a new data input and getting the same error again:

From PROPS.CONF

[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for 
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = True
BREAK_ONLY_AFTER =  <NEWRECORD>

Output:

116     03/07/2012 04:20:06.000   Log for 03/07/2012 04:20:06
                                  "CUSTOMER:*******" <NEWRECORD> 

117     03/07/2012 04:20:18.000   Log for 03/07/2012 04:20:18
                                  Unknown issue. Type DIR Error 20142 550 No matching files pouet
                                  "CUSTOMER:*******" <NEWRECORD> 

118     03/07/2012 04:20:21.000   Log for 03/07/2012 04:20:21
                                  "CUSTOMER:********" <NEWRECORD> 

119     03/07/2012 04:20:25.000   Log for 03/07/2012 04:20:25
                                  "CUSTOMER:********" <NEWRECORD> 

120     03/07/2012 04:22:39.000   Log for 03/07/2012 04:22:39
                                  "CUSTOMER:*****" <NEWRECORD> 

Each event has the "Could not use strptime to parse timestamp" warning, but seems to have converted the timestamp correctly.

Anyone know what I' doing wrong?

0 Karma

elaine0102
Explorer

Hi, have you solve this?
I am having the same issue as you and not sure what to do.

0 Karma

dmrhodes101
Explorer

Curse my stupidity. I had forgotten to restart Splunk when I made the change above.

0 Karma

Ayn
Legend

Your TIME_PREFIX is wrong. It shouldn't include quotes, as Splunk will interpret that as that it should literally match the whole string including the quotes.

0 Karma

Ayn
Legend

Are you looking at newly indexed data? Data that is already in the index will not be affected by these changes. Also I'm assuming that you're sure that this relates to how Splunk parses the data, not how it outputs it in the web UI...

0 Karma

dmrhodes101
Explorer

Thanks Ayn

I've changed that, but there's no difference I'm afraid.

The date is highlighted, but it insists on converting to a US date.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...