Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Please provide the time_prefix and time_format for below event type.

lksridhar
Explorer
‎01-10-2018 04:53 AM

Hi folks,

Could you please anyone provide the TIME_PREFIX and TIME_FORMAT for below events type.

10.30.3.247 - - [08/Oct/2017:23:01:00 -0500] "GET /replocator-ws/services/RepDealerLocator?wsdl HTTP/1.1" 200 29638

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎01-10-2018 05:41 AM

@p_gurav

[<spec>]
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z

there will : instead of space

0 Karma
Reply

lksridhar
Explorer
‎01-10-2018 06:36 AM

The above methods is not working and the below format is working

TIME_PREFIX=[
TIME_FORMAT= %d/%b/%Y :%H:%M:%S %-4N

0 Karma
Reply

mayurr98
Super Champion
‎01-10-2018 06:49 AM

the sample event that you have mention does not contain space
if it does then you can write

TIME_FORMAT = %d/%b/%Y :%H:%M:%S %z
0 Karma
Reply

p_gurav
Champion
‎01-10-2018 05:09 AM

Hi lksridhar,

TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y %H:%M:%S %z

Before this can you also try increasing value for MAX_TIMESTAMP_LOOKAHED property in props.conf file

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...