I have lines of data that looks like this (1 line) in the file source="C:\Temp\testResultLog.csv":
RT0963-01,7/02/2013 13:33:22,19/04/2013 11:13:03,0,R_1812,0,Netscape3.0,0,0,0,172.21.0.132,172.21.0.132,ohm-web-7.9.5 (d921a - 2013-05-02 13:30:00),20130502_133229,2/05/2013 20:00:02,2/05/2013 20:00:08,6,True,DAVIDJ-3500,x86,4
For the file containing these lines I have the following in the props.config file:
[testResultLog]
CHECK_FOR_HEADER = true
KV_MODE = none
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = False
TIME_FORMAT = %d/%m/%y %H:%M:%S
TIME_PREFIX = \d{8}_\d{6},
pulldown_type = 1
This should extract the time as indicated in bold in the data. For times before may, Splunk extracted this correct; however from may, it parses the date in the above line as the 5th of february, whereas it should parse it as the second of may.
An example of a line that was parsed correct:
BT01-02,18/03/2008 9:26:09,19/04/2013 11:11:16,0,R_1812,0,Netscape3.0,0,0,3,172.21.0.120,172.21.0.120,ohm-web-8.0.0-SNAPSHOT (c2601 - 2013-04-28 21:01:16),20130429_110040,29/04/2013 11:00:43,29/04/2013 11:02:34,111,True,DAVIDJ-3500,x86,4
Thanks for the help!
David
... View more