Getting Data In

Timestamp setting

rplagmeijer
New Member

Hi,

A I am new to splunk and trying to configure timestamp

The time in the file looks like this

10/2/2012 19:27:32:781:

Splunk translate it to 10/2/12 10:48:53.000 PM

I am using %d/%m/%Y %H:%M:%S:%3N:

What do I do wrong?

Any help is highly appreciated!

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

According to some sources (including strftime.net) %e designates a month 1-12, and %m from 01-12, i.e. the difference is in the leading zero. Try to substitute the %m for %e in your TIME_FORMAT.

This might not seem relevant, since Splunk parsed the date OK, but having part of the timestamp parsed wrong, can lead to unpredictable results, and splunk may be looking at numerical values further into the message to find something it thinks is the correct time.

Check the values for timestartpos and timeendpos fields, which contain how far into the event (in bytes) splunk had to go to identify the timestamp.


UPDATE:
Please note that this will not affect already indexed events, just new ones coming in after the configuration change.

I guess that you are doing this through the web GUI, rather than through the config files, and I'm not really up to date on the new wizard-style "add data" thingy.

Yes, the space is supposed to be there. Somewhere in your file system there will be a file called props.conf where this setting ended up.

Look in either of the following locations;

$SPLUNK_HOME/etc/apps/search/local
$SPLUNK_HOME/etc/apps/launcher/local 
$SPLUNK_HOME/etc/system/local

$SPLUNK_HOME is the splunk installation directory, typically /opt/splunk on Nix-machines, and c:\program files\splunk on Windows

There you will find the name of your sourcetype inside square brackets, with the corresponding configuration parameters underneath, e.g.

[your_sourcetype]
TIME_FORMAT = %d/%e/%Y %H:%M:%S:%3N:

There will be other parameters as well, and the same configuration can be present in more than one of these props.conf files.

Please post the parameter value for TIME_FORMAT, along with a few lines of real log data (mask out ip-addresses, usernames etc if you need to).

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

See update above. Also, I agree with sowings that the correct date could come from NOW on the indexer, or perhaps more likely from the mod-time of the file.

0 Karma

rplagmeijer
New Member

Hi Kristian,

I changed the value "Specify timestamp format (strptime) ex: %Y-%m-%d"

to %d/%e/%Y %H:%M:%S:%3N like you sugested. It does not seem to change anything.
Is the space between %Y and %H valid?

0 Karma

sowings
Splunk Employee
Splunk Employee

I'm not sure that Splunk parsed the date OK; it looks like it might have been given "NOW" time when the event arrived at the indexer. I second the notion of swapping %m for %e. Also, consider checking the logs (splunkd.log in this case) for DateTimeParserVerbose events.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...