Refine your search:

What is the best timestamp format to use for my custom log to be indexed by Splunk?

6

What is the best timestamp format to use for my custom log to be indexed by Splunk?

Sensible choices are:

Round-trip pattern  2010-08-06T16:43:04.1291862-04:00
Full pattern        Friday, August 06, 2010 4:47:02 PM
RFC1123 pattern     Fri, 06 Aug 2010 16:45:17 GMT
ISO 8601 pattern    2010-08-06T16:45:47
UTC sortable        2010-08-06 16:46:36Z

asked 06 Aug '10, 20:49

ftk's gravatar image

ftk ♦
6.8k1727
accept rate: 38%

Great question. +1 Why has no one else voted this up?

(18 Feb '11, 17:44) Lowell ♦

Couldn't tell ya buddy, couldn't tell ya :-)

(18 Feb '11, 22:06) ftk ♦

Also, I am using Reound-trip pattern mostly now, Splunk parses it easily and it is easy to do in PowerShell (get-date -f s).

(18 Feb '11, 22:07) ftk ♦
One Answer:
oldestnewestmost voted
3

I tend to prefer the Round-trip, ISO, or UTC sortable pattern or ISO pattern with the TZ info. It doesn't matter too much if you specify an explicit format in Splunk, but it's probably best to indicate a 4-digit year, 2-digit 24-hour hours, numeric (rather than locale-specific textually named) months, and an absolutely unambiguous time zone (e.g., EST is not a good TZ). Day of the week is superfluous. Using GMT/UTC/Zulu time helps to avoid errors and problems around DST switches as well, since that zone never switches.

link

answered 06 Aug '10, 21:41

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×100

Asked: 06 Aug '10, 20:49

Seen: 1,518 times

Last updated: 06 Aug '10, 21:41

Related questions

What is the best custom log event format for Splunk to eat?

Index timestamp off by an hour

What is the best way to add timestamps to a large log file without timestamps?

Custom Squid log format

Formatting data to be parsed by splunk.

Does splunk support timestamps that use Modified Julian Day (MJD)?

Splunk pulling the date from log data - not timestamp

Pad thousandths of a second in timestamp with leading zeros

Timestamp Issues

Copyright © 2005-2012 Splunk Inc. All rights reserved.