- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Difficulty in Timestamp Recongnition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I am trying to have splunk know the right timestamp in the following event.
COR_00000001,Com1,LOC_00000001,DC1,SUB_00000001,21F,GRP_00000001,Rack1,CON_00000001,Saving,8A0000000521A81D_1,2010/09/03,3F PW System,Powe,8A0000000521A81D_1,kWh,2010/09/03 00:00:00,15,83946325
There is a .csv file, and there are a header line at the first line and the rest of the lines are similar to the event above.
The correct timestamp is "2010/09/03 00:00:00" which is in %Y/%m/%d %H:%M:%S format.
My props.conf looks like the follwing, but I can not get the right timestamp.
[source::<path>]
CHECK_FOR_HEADER=false
[<sourcetype>]
SHOULD_LINEMERGE = False
BREAK_ONLY_BEFORE_DATE = False
TIME_FORMAT = %Y/%m/%d %H:%M:%S
Could anyone help me out?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would first try it without TIME_FORMAT but increase:
MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.
Only if the result is still bad you might continue with TIME_FORMAT.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also recommend that you add sourcetype = <sourcetype> in your [source::<path>] stanza. Otherwise you risk the wrong sourcetype association and then your TIME_FORMAT and other sourcetype-based settings will not be applied. Splunk may be getting this right on it's own, but I've found it helpful to be explicit about sourcetype associations. That's my 2 cents.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would first try it without TIME_FORMAT but increase:
MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* Defaults to 150.
Only if the result is still bad you might continue with TIME_FORMAT.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks meno! it worked 🙂
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
