Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to setup TIME_FORMAT with time and date in separate locations ?

winicd
New Member
‎03-25-2018 03:58 AM

I get trouble to setup TIME_FORMAT= ????, the documents help only if Date and time is in one line.

In my case : The log file is generateted from 00:00 to 23:59 date is 032318 in Filename.
on time format i get for each line in this log file timestamp but not date !
I need methode to move the Date from the filename to the TIME_FORMAT extraction for index all line with date and time.
sample : filesname : xxxx.020918_00004.log here we have the date only
The have starting line like : 13:00:11.588 [5636.5636] ...... here are the time stamps from 00:00 to 23:59 for each day
There no date in the file!
how do need to define the TIME_FORMATE in props.conf for this case ?
TIME_FORMAT= %H:%M:%S ..... missing the DATE ? for correct indexing
this is a question about application NETbackup from Veritas and his logs
on files in /usr/openv/netbackup/logs >>> date in logfilename >> time in logfile
on files in /usr/openv/logs >> we have unixtime time and date in log file this no proplem !

Thank in advanced,

Darius

0 Karma
Reply

Azeemering
Builder
‎03-25-2018 06:59 AM

If no events in a source have a date, Splunk software tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.)
For file sources, if no date can be identified in the file name, Splunk software uses the file modification time.
As a last resort, Splunk software sets the timestamp to the current system time when indexing each event.

In general I would just define TIME_FORMAT as H:M:S.%3N in this case.
What happens when you try it with a sample?
I have done a few times and every time splunk was able to pick up the date from the file name.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...