Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestamp recognition

elaine0102
Explorer
‎10-03-2012 08:12 PM

Hi, I have successfuly extracted a timestamp. However, I need Splunk to recognised it as the event timestamp.
Please kindly guide me what should I do to achieve that.
Thank you.

e.g. created_time = 2012-09-26T02:59:57+0000

TIME_PREFIX = created_time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 27

Tags (1)
0 Karma
Reply

Ayn
Legend
‎10-03-2012 10:25 PM

You don't really need to use the TIME_PREFIX unless there are other timestamps before this one in your event, or if this timestamp is located very far into the event text. Similarly you don't need to change MAX_TIMESTAMP_LOOKAHEAD from its default unless you have a good reason to do so.

Other than that, your TIME_FORMAT looks fine. What are your current results with these settings?

UPDATE: So, I did a second check - it seems Python's strptime (which is what Splunk uses) is pretty picky about that you need to specify how it should handle ALL of the string you want to parse. In your case, that string would be "2012-09-26T02:59:57+0000", and Python's strptime complains about the trailing "+0000":

>>> time.strptime("2012-09-26T02:59:57+0000","%Y-%m-%dT%H:%M:%S")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.6/_strptime.py", line 454, in _strptime_time
    return _strptime(data_string, format)[0]
  File "/usr/local/lib/python2.6/_strptime.py", line 328, in _strptime
    data_string[found.end():])
ValueError: unconverted data remains: +0000

This trailing +0000 can be referred to in some strptime implementations as %z - however, unfortunately Python does not support this identifier. The workaround I can think of is to specify a combination of TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD that make sure that ONLY the part of the timestamp before the +0000 is included (i.e. "2012-09-26T02:59:57").

Reply

BobM
Builder
‎05-22-2013 09:25 AM

Assuming the number after the + is 10,000ths of a second you can tell splunk to use this with :-

TIME_FORMAT = %Y-%m-%dT%H:%M:%S+%4N

If it is consistently +0000 you can specify it in the time format.

TIME_FORMAT = %Y-%m-%dT%H:%M:%S+0000

0 Karma
Reply

Ayn
Legend
‎10-07-2012 09:50 PM

I believe you would include the + character with that MAX_TIMESTAMP_LOOKAHEAD (unless you have a space after "created_time"). Check splunkd.log to see what it says about its strptime parsing attempts.

0 Karma
Reply

elaine0102
Explorer
‎10-07-2012 05:18 PM

I tried the following config, however it does not work too:

TIME_PREFIX = created_time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 23

0 Karma
Reply

Ayn
Legend
‎10-05-2012 02:43 AM

OK. I did some more tests - see my updated answer.

0 Karma
Reply

elaine0102
Explorer
‎10-04-2012 11:58 PM

current config:
TIME_PREFIX = created_time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S

I did not remove TIME_PREFIX as I do need it.
As the timestamp is located very far into the event text.

0 Karma
Reply

Ayn
Legend
‎10-04-2012 11:52 PM

I checked your time format against the sample date you provided, and it works just like it should. What's your current config? Did you remove the TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD?

0 Karma
Reply

elaine0102
Explorer
‎10-03-2012 11:44 PM

Pardon me for my confusing issue. Created_time is the one I want it to be my event_time.

Previously, I have overlooked the warning of timestamp and had the created_time became one of the interesting field.

Thus, I guessed that is why my event_time is the time when I added the data into Splunk and not the created_time as my event_time.

0 Karma
Reply

elaine0102
Explorer
‎10-03-2012 11:42 PM

Sorry, just realised that I encountered this warning when I preview my data with the following setting:

TIME_PREFIX = created_time
TIME_FORMAT = %Y-%m-%dT%H:%M:%S

Warning: Could not use strptime to parse timestamp from
" = 2012-09-26T02:59:57+0000 , updated_time = 2012-10-01T01:40:34+0000 counter:0".

0 Karma
Reply

Ayn
Legend
‎10-03-2012 11:01 PM

If Splunk extracted your timestamp correctly, what do you mean by that it is not your event time? Do you mean that you have created a separate extraction that extracts this timestamp as a FIELD, but on top of that you want Splunk to use this as the event timestamp as well?

Which timestamp does Splunk currently use for these events? If you check your splunkd.log, do you see any errors related to the timestamp extraction for this source?

0 Karma
Reply

elaine0102
Explorer
‎10-03-2012 10:53 PM

Thanks for replying.
Yes, I do need TIME_PREFIX and you are right, I do not need to change the default MAX_TIMESTAMP_LOOKAHEAD.

My current result is that Splunk has successfully extract the timestamp that I want. However, on Splunk search, it does not show the timestamp that I extracted as my event time.

What I should go about to make that as my event time?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...