How to setup TIME_FORMAT with time and date in sep...

winicd · ‎03-25-2018

I get trouble to setup TIME_FORMAT= ????, the documents help only if Date and time is in one line.

In my case : The log file is generateted from 00:00 to 23:59 date is 032318 in Filename.
on time format i get for each line in this log file timestamp but not date !
I need methode to move the Date from the filename to the TIME_FORMAT extraction for index all line with date and time.
sample : filesname : xxxx.020918_00004.log here we have the date only
The have starting line like : 13:00:11.588 [5636.5636] ...... here are the time stamps from 00:00 to 23:59 for each day
There no date in the file!
how do need to define the TIME_FORMATE in props.conf for this case ?
TIME_FORMAT= %H:%M:%S ..... missing the DATE ? for correct indexing
this is a question about application NETbackup from Veritas and his logs
on files in /usr/openv/netbackup/logs >>> date in logfilename >> time in logfile
on files in /usr/openv/logs >> we have unixtime time and date in log file this no proplem !

Thank in advanced,

Darius

Azeemering · ‎03-25-2018

If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

In general I would just define TIME_FORMAT as H:M:S.%3N in this case.
What happens when you try it with a sample?
I have done a few times and every time splunk was able to pick up the date from the file name.

How to setup TIME_FORMAT with time and date in separate locations ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life