Hi all
I have the following in a log file that we're passing to Splunk:
Log for 03/07/2012 06:47:43
The date is being parsed as 07/03/2012 so we added:
TIME_PREFIX = "Log for "
TIME_FORMAT = %d/%m/%Y %H:%M:%S
to PROPS.CONF
I'm still getting 07/03 and also a "Could not use strptime to parse timestamp".
Can anyone assist?
Thanks
Hi,
I changed the PROPS.CONF file to read:
[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = TRUE
BREAK_ONLY_BEFORE = Log for
And that fixed my problem.
Dave
Glad that you managed to solve it.
However, it could not solve mine.
Thank you for replying 🙂
Now trying to create a new data input and getting the same error again:
From PROPS.CONF
[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = True
BREAK_ONLY_AFTER = <NEWRECORD>
Output:
116 03/07/2012 04:20:06.000 Log for 03/07/2012 04:20:06
"CUSTOMER:*******" <NEWRECORD>
117 03/07/2012 04:20:18.000 Log for 03/07/2012 04:20:18
Unknown issue. Type DIR Error 20142 550 No matching files pouet
"CUSTOMER:*******" <NEWRECORD>
118 03/07/2012 04:20:21.000 Log for 03/07/2012 04:20:21
"CUSTOMER:********" <NEWRECORD>
119 03/07/2012 04:20:25.000 Log for 03/07/2012 04:20:25
"CUSTOMER:********" <NEWRECORD>
120 03/07/2012 04:22:39.000 Log for 03/07/2012 04:22:39
"CUSTOMER:*****" <NEWRECORD>
Each event has the "Could not use strptime to parse timestamp" warning, but seems to have converted the timestamp correctly.
Anyone know what I' doing wrong?
Hi, have you solve this?
I am having the same issue as you and not sure what to do.
Curse my stupidity. I had forgotten to restart Splunk when I made the change above.
Your TIME_PREFIX
is wrong. It shouldn't include quotes, as Splunk will interpret that as that it should literally match the whole string including the quotes.
Are you looking at newly indexed data? Data that is already in the index will not be affected by these changes. Also I'm assuming that you're sure that this relates to how Splunk parses the data, not how it outputs it in the web UI...
Thanks Ayn
I've changed that, but there's no difference I'm afraid.
The date is highlighted, but it insists on converting to a US date.