Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need help with time stamp recognition

kjetil
New Member
‎07-06-2012 06:55 AM

Hi.

I've just started with Splunk and need help setting up file input. The log files looks like the below. A header row and one row per event. Each event starts with a number from 0 to whatever, the date, the time and a lot of other fields - all fields separated by semicolon

0;30Jun2012;23:30:00;

567498;1Jul2012;11:26:44;

What I need help with is setting up the recognition. Auto does not work and I'm no too good with regular expressions.

Anyone?

Share and enjoy
Kjetil

Tags (1)
0 Karma
Reply

Ayn
Legend
‎07-06-2012 07:29 AM

It's not regular expressions you need, but rather strftime/strptime style definitions. I usually go to http://strftime.org/ for a quick reference on them - or if the short version there doesn't cover what I want, I do man strftime in a UNIX shell. These definitions should go in the TIME_FORMAT directive in the appropriate section in props.conf. So for your logs it should be something like:

[your_sourcetype]
TIME_FORMAT = %e%b%Y;%H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...