Splunk Search

Date Time parsed incorrectly

rmorlen
Splunk Employee
Splunk Employee

We have data coming into Splunk that looks like:

DATA_FEED[00ZA044]:08/07 06:59:59 Got 'ABCDL NO PENDING TRANSACTIONS FOUND FOR REQUEST ' in file - LaLaStuff

DATA_FEED[00ZA044]:08/07 06:59:59 Queued time was 1.02, starting up a slave.

DATA_FEED[64946350]:08/07 06:59:59 Connecting to DB.

DATA_FEED[00ZA031]:08/07 06:59:59 received 'get_pending_orders:0038:12345678901'

The date/time is being parsed incorrectly. Splunk is reading the date for the above as 07/06/2008 which is really screwing things up.

We then modified the props and added:
TIME_FORMAT = %m/%d %H:%M:%S

Bounced all the searchheads and indexers with the new props. Still coming in wrong.

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.

props.conf

[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20

Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/Kristian

View solution in original post

rmorlen
Splunk Employee
Splunk Employee

Thanks. Not getting errors. Just being parsed incorrectly.

0 Karma

Ayn
Legend

Search heads will not need any updating - timestamp parsing is a pure index-time operation. Consider looking in splunkd.log for errors related to this (the timestamp processor is generally pretty good at throwing errors in the log).

0 Karma

kristian_kolb
Ultra Champion

Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.

props.conf

[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20

Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/Kristian

linu1988
Champion

I use it and it works great for the new indexed data!! Am i doing anything wrong without knowing!!!

0 Karma

rmorlen
Splunk Employee
Splunk Employee

Thanks.

This works great.

TIME_FORMAT=%m/%d %H:%M:%S
TIME_PREFIX=\]:

Pushed the updated props.conf to the appropriate places. It did NOT require a restart or a refresh.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Unfortunately, linu1988, time recognition isn't one that can be hit with a debug/refresh. That one requires the Indexer restarts as kristian.kolb mentioned.

Ayn
Legend

No, you can't use the /debug/refresh endpoint for this. Any changes to settings affecting index-time behaviour requires a restart to take effect.

linu1988
Champion

Don't use the full prefix the answer posted is correct, As time prefix only needed to be unique just before the timestamp starts. And FYI if you want the configs to update without restart you can use the below link, new changes will be done.

_http://server:8000/en-US/debug/refresh

expect some of the configs minor changes can be done with it 🙂

rmorlen
Splunk Employee
Splunk Employee

Thanks. I will give that a try. Can't bounce our indexers until tonight (too many users).

I am also looking at: TIME_PREFIX = ^[^\]]+\]\:

Thanks for the link. Very useful.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...