Parsing time failing

Question

Hi. I have done a good amount of reading on this, and it seems to be a popular subject both in the documentation and on the Answers site. Still, I'm rather stumped.

We have logs where each line starts with a date/time stamp in the format

YYYYmmdd HHMMSS hostname lots of other data

So

20110711 145022 myhost yadda yadda yadda

Splunk combines as many of these lines into one event as it can. We have tried adding the following to Props.conf on the Indexers but have had no success.

TIME_FORMAT = %Y%m%d %H%M%S
TZ = US/Eastern
MAX_EVENTS=1
SHOULD_LINEMERGE = false

Also tried TIME_FORMAT = ^%Y%m%d %H%M%S

Is this likely just a regex problem?

Other elements of the props.conf stanza are honored and acted upon when the data is indexed.

Given the simplicity of the timestamp and its presence at the very beginning of the line, I would think this would be easy to solve. Do we need to look at a custom datetime.xml file?

Thanks for any guidance.

Answer 1

1	Try adding a TIME_PREFIX element which tells Splunk where to look for the time. TIME_PREFIX = ^ TIME_FORMAT = %Y%m%d %H%M%S link answered 11 Jul '11, 11:54 ccannon1 11●1 accept rate: 0%

Answer 2

0

Thanks for the suggestion. At first, I thought this worked (!!) but a closer look showed that I was seeing additional results not related to the logs in quesiton.

When restricting my search properly, I'm still seeing the same problem I was before.

link

answered 11 Jul '11, 13:01

Sqig
225●1●11
accept rate: 23%

Answer 3

0	Your properties look right. I suppose I would question and check whether they are being applied to the incoming data. link answered 11 Jul '11, 13:06 gkanapathy ♦ 32.3k●4●8●27 accept rate: 41%

Answer 4

0	btool shows that the parameters described above are, in fact, being applied. I don't know of anything else I can check. link answered 11 Jul '11, 14:44 Sqig 225●1●11 accept rate: 23%

Parsing time failing

Follow this question

Splunk Resources

Related questions