Hi All,
I'm trying to add weblogic 10.3 log files to indexer and I'm struggling to get the timestamp parsed correctly. I'm new to Splunk so may need little bit of more step-through/concept help so please ignore my lack of understanding.
My log file has data like this
The parsing/output in Preview looks like this
8/6/12 3:00:14.000 PM ####<13/08/2012 12:00:14 AM EST>
As you can see the parsing of the date time isn't working and I get an exclamation mark in preview complaining about 'could not use strptime to parse the timestamp...'
currently applied settings looks like this in preview page:
NO_BINARY_CHECK=1
TIME_FORMAT=%d/%m/%Y %I:%M:%S %p
TZ=Australia/Melbourne
These previous posts dont work and complains about syntax at startup time.
http://splunk-base.splunk.com/answers/8142/how-do-i-extract-useful-information-into-fields-from-orac...
Any help would be appreciated...
Thanks heaps,
Parth
Hi,I am alse new to Splunk.
I meet the same problem with _time can't mapping with a true log time.
My solution is as below
First:
I go to WLS Server-->server-->your server name-->logging-->advanced-->Date Format Pattern
I change it from yyyy/M/d ahh'時'mm'分'ss'秒' z to yyyy/M/d HH'-'mm'-'ss'-' z
Two:
When I restart WLS Server,and I go to Splunk Sever to new a field with name log_time.
pattern like
log_time=2014/11/24 15-32-50
Now you can use log_time to search your wls_log like
host=Peter-PC log_time>"2014/11/23 11-00-00", you can get the event occur after 2014/11/23 11-00-00
I wish this can help you.
by Peter
I find something could be better.
The same way to change date format pattern on weblogic console log config
change it to yy/M/d HH':'mm':'ss like as 14/12/12 16:52:09
Then Splunk can parse this pattern to _time default field correct.
So you can use _time to search and don't need to define a log_time field.