Getting Data In

How to setup TIME_FORMAT with time and date in separate locations ?

winicd
New Member

I get trouble to setup TIME_FORMAT= ????, the documents help only if Date and time is in one line.

In my case : The log file is generateted from 00:00 to 23:59 date is 032318 in Filename.
on time format i get for each line in this log file timestamp but not date !
I need methode to move the Date from the filename to the TIME_FORMAT extraction for index all line with date and time.
sample : filesname : xxxx.020918_00004.log here we have the date only
The have starting line like : 13:00:11.588 [5636.5636] ...... here are the time stamps from 00:00 to 23:59 for each day
There no date in the file!
how do need to define the TIME_FORMATE in props.conf for this case ?
TIME_FORMAT= %H:%M:%S ..... missing the DATE ? for correct indexing
this is a question about application NETbackup from Veritas and his logs
on files in /usr/openv/netbackup/logs >>> date in logfilename >> time in logfile
on files in /usr/openv/logs >> we have unixtime time and date in log file this no proplem !

Thank in advanced,

Darius

0 Karma

Azeemering
Builder

If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

In general I would just define TIME_FORMAT as H:M:S.%3N in this case.
What happens when you try it with a sample?
I have done a few times and every time splunk was able to pick up the date from the file name.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...