[closed] Default _time extraction

I have an example log file with the following format:

Nov 05 10:33:37 servername applicationserver: instance,ipaddress,[05/Nov/2011:10:33:33 +0000]

I would like the second time column which contains [05/Nov/2011:10:33:33 +0000] to be column which is used for _time at index time, currently by default it uses Nov 05 10:33:37.

Any suggestion on how to tech splunk to use the alternative timestamp for _time would be appreciated.

Thanks

_time

asked 15 Nov '11, 08:10

camah4
1●1
accept rate: 0%

closed 15 Nov '11, 09:35

araitz ♦
7.9k●3●9●25

Please create only one post per question:

http://splunk-base.splunk.com/answers/34422/default-_time

(15 Nov '11, 09:36) araitz ♦

The question has been closed for the following reason "Duplicate Content" by araitz 15 Nov '11, 09:35

One Answer:

oldest newest most voted

0	Please see following manual. Hope this help. http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configuretimestamprecognition link answered 15 Nov '11, 08:40 Takajian 745●2●3●15 accept rate: 18%

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

_time ×28

Asked: 15 Nov '11, 08:10

Seen: 350 times

Last updated: 15 Nov '11, 09:36

[closed] Default _time extraction

The question has been closed for the following reason "Duplicate Content" by araitz 15 Nov '11, 09:35

Follow this question

Splunk Resources

Related questions