Splunk Search

Date Parsing

dmrhodes101
Explorer

Hi all

I have the following in a log file that we're passing to Splunk:

Log for 03/07/2012 06:47:43

The date is being parsed as 07/03/2012 so we added:

TIME_PREFIX = "Log for "

TIME_FORMAT = %d/%m/%Y %H:%M:%S

to PROPS.CONF

I'm still getting 07/03 and also a "Could not use strptime to parse timestamp".

Can anyone assist?
Thanks

Tags (1)
0 Karma

dmrhodes101
Explorer

Hi,

I changed the PROPS.CONF file to read:

[EDICOMMS]

NO_BINARY_CHECK = 1

pulldown_type = 1

TIME_PREFIX = Log for

TIME_FORMAT = %d/%m/%Y %H:%M:%S

SHOULD_LINEMERGE = TRUE

BREAK_ONLY_BEFORE = Log for

And that fixed my problem.

Dave

0 Karma

elaine0102
Explorer

Glad that you managed to solve it.
However, it could not solve mine.
Thank you for replying 🙂

0 Karma

dmrhodes101
Explorer

Now trying to create a new data input and getting the same error again:

From PROPS.CONF

[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for 
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = True
BREAK_ONLY_AFTER =  <NEWRECORD>

Output:

116     03/07/2012 04:20:06.000   Log for 03/07/2012 04:20:06
                                  "CUSTOMER:*******" <NEWRECORD> 

117     03/07/2012 04:20:18.000   Log for 03/07/2012 04:20:18
                                  Unknown issue. Type DIR Error 20142 550 No matching files pouet
                                  "CUSTOMER:*******" <NEWRECORD> 

118     03/07/2012 04:20:21.000   Log for 03/07/2012 04:20:21
                                  "CUSTOMER:********" <NEWRECORD> 

119     03/07/2012 04:20:25.000   Log for 03/07/2012 04:20:25
                                  "CUSTOMER:********" <NEWRECORD> 

120     03/07/2012 04:22:39.000   Log for 03/07/2012 04:22:39
                                  "CUSTOMER:*****" <NEWRECORD> 

Each event has the "Could not use strptime to parse timestamp" warning, but seems to have converted the timestamp correctly.

Anyone know what I' doing wrong?

0 Karma

elaine0102
Explorer

Hi, have you solve this?
I am having the same issue as you and not sure what to do.

0 Karma

dmrhodes101
Explorer

Curse my stupidity. I had forgotten to restart Splunk when I made the change above.

0 Karma

Ayn
Legend

Your TIME_PREFIX is wrong. It shouldn't include quotes, as Splunk will interpret that as that it should literally match the whole string including the quotes.

0 Karma

Ayn
Legend

Are you looking at newly indexed data? Data that is already in the index will not be affected by these changes. Also I'm assuming that you're sure that this relates to how Splunk parses the data, not how it outputs it in the web UI...

0 Karma

dmrhodes101
Explorer

Thanks Ayn

I've changed that, but there's no difference I'm afraid.

The date is highlighted, but it insists on converting to a US date.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...