hour component of timestamp ignored, because there...

imrago · ‎07-04-2013

I would like to extract this timestamp:

2013-07-03,8

with

%Y-%m-%d,%H

but I am unable to that because:
If <strptime-style format> contains an hour component, but no minute component, TIME_FORMAT ignores the hour component. It treats the format as an anomaly and considers the precision to be date-only. Splunk Docs

How could I disable that feature?

chimbudp · ‎07-04-2013

You can use REGEX , in this case :
You may need to edit the props.conf

BREAK_ONLY_BEFORE =
* When set, Splunk creates a new event only if it encounters a new line that matches the
regular expression.
* Defaults to empty.

MUST_BREAK_AFTER =
* When set and the regular expression matches the current line, Splunk creates a new event for
the next input line.
* Splunk may still break before the current line if another rule matches.
* Defaults to empty.

MUST_NOT_BREAK_AFTER =
* When set and the current line matches the regular expression, Splunk does not break on any
subsequent lines until the MUST_BREAK_AFTER expression matches.
* Defaults to empty.

MUST_NOT_BREAK_BEFORE =
* When set and the current line matches the regular expression, Splunk does not break the
last event before the current line.
* Defaults to empty.
* List item

imrago · ‎07-04-2013

The line breaking is working fine and Splunk is finding the timestamps.

The problem is that only the date part is used.

chimbudp · ‎07-04-2013

This site may be helpful in creating regex :
http://gskinner.com/RegExr/

hour component of timestamp ignored, because there is no minute component

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life