Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract date and time in Splunk?

DonDandrea
Path Finder
‎06-12-2014 12:36 PM

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below. 

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you,
Don

Tags (3)
0 Karma
Reply

DonDandrea
Path Finder
‎06-13-2014 12:19 PM

I tried this and it worked for the entries that have a time. The entried that do not have time are indexed with the date the file was indexed. To be quite honest I don't care about the time. The entries are once a day. The date is the important piece.

0 Karma
Reply

lguinn2
Legend
‎06-12-2014 02:06 PM

As long as you keep the different sources in different input files or streams, you should be fine. But I think you will make yourself nuts if you mix more than one timestamp format in the same input.

For each input where you want to specify the time format, you will need an entry in props.conf

[source::/path/to/your/source/file.ext]
TIME_FORMAT=%m/%d/%y
MAX_TIMESTAMP_LOOKAHEAD = 50

This props.conf belongs on the indexer(s) that parse the data, not on the forwarders.

The MAX_TIMESTAMP_LOOKAHEAD is not required, but it is a good idea. I have set it so that it only examines the first 50 characters of the event for the timestamp.

More information here: How Splunk extracts timestamps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...