Getting Data In

Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)

efcasado
New Member

I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.

I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z

This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):

[syslog]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false

This is how Splunk is outputing my log messages:

2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message

As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone

%Y-%m-%dT%H:%M:%S.%6N%z

Bye.
Giuseppe

0 Karma

koshyk
Super Champion

can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...