|
Log entries have timestamps with Taiwan years. Taiwan year = current year-1911, so this year is 99. By default Splunk sees the time as the year 1999 and shows old data Is this something I can use datetime.xml for? Maybe an offset? |
|
I don't know of a way to have it read that. Splunk uses strptime, plus a few additions (like %Z, %3N, and I think it might be able to pick up hexadecimal epoch time) but I am not aware of a way to offset dates or times at index time. It can definitely pick up hex epoch time.
(14 Apr '10, 03:23)
dskillman ♦
2
Support for offsets (or taiwanese years) would be an enhancement request. For this case you might be able to get away with a strptime that ignores the year, with a TIME_PREFIX that skips past it (be sure your regex doesn't fail next year when they go to 100). We should be able to default to the current year. Untested. 4 digit years are highly recommended. Sounds like Taiwan will go through this learning experience next year.
(17 Apr '10, 00:14)
jrodman ♦
|
