Refine your search:

Splunk Parsing dates incorrectly

0

I know there have been other questions asked about splunk parsing dates. However, I have what appears to be a unique situation where I do not understand how Splunk is interpreting dates.

I have the following log entries:

8:58:05.202 PM  [3/6/12 19:58:05:202 EST] 000002f9 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue Mar 06 19:55:26 EST 2012, current Date: Tue Mar 06 19:58:05 EST 2012.

host=fmgpapp05   Options|  sourcetype=RulesOnline   Options|  source=/log/parpapp051/SystemOut.log   Options|  date_mday=12   Options|  date_hour=19   Options|  date_minute=58   Options

Why is Splunk tagging the log entry as "06/12/11" when the log date is actually "3/6/12"?

asked 08 Mar '12, 06:48

steveirogers's gravatar image

steveirogers
20124
accept rate: 0%

edited 08 Mar '12, 08:47

dwaddle's gravatar image

dwaddle ♦
15.6k2924
One Answer:
oldestnewestmost voted
1

Why is - Because Splunk sees the first date as the timestamp. But don't worry, you can easily fix that. I assume that the sourcetype for this data is RulesOnline. In $SPLUNK_HOME/etc/system/local/props.conf, put 

[RulesOnline]
TIME_PREFIX =\[
MAXTIMESTAMPLOOKAHEAD = 60

This tells Splunk that the timestamp appears AFTER the first [ and that the timestamp appears within the first 60 characters of the event. When there are multiple strings that could be interpreted as timestamps, you sometimes need to give Splunk a little help to pick the right one.

There is more info in the manual here.

link

answered 08 Mar '12, 07:27

lguinn's gravatar image

lguinn ♦
11.5k5824
accept rate: 28%

Thanks Lguinn. My question might have been misleading and I just want to clarify. The "6/12/11" is not part of the log entry. The actual log entry is: 8:58:05.202 PM [3/6/12 19:58:05:202 EST] 000002f9 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue Mar 06 19:55:26 EST 2012, current Date: Tue Mar 06 19:58:05 EST 2012

Splunk is creating the log entry as "6/12/11" when I would have expected it to be "03/06/12"

(08 Mar '12, 08:13) steveirogers

I think that the time prefix and lookahead will still work. Although I might change the lookahead value to 50 instead of 60. And I am not sure why It messed up the timestamp..

(08 Mar '12, 10:04) lguinn ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×7

Asked: 08 Mar '12, 06:48

Seen: 574 times

Last updated: 08 Mar '12, 10:04

Related questions

Splunk parsing date incorrectly

Manipulating dates using splunk.

parsing checkpoint firewall log dates

Trouble with Snort logs parsing incorrectly

Date stamp in directory name

Log file with differing message formats

Timestamp sometimes not recognized in batch

Web Intelligence - No Results Found (Parsing Incorrectly?)

How do I properly parse atlassian jira or confluence logs with splunk?

Copyright © 2005-2012 Splunk Inc. All rights reserved.