This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Timestamp processing can be controlled through props.conf. Most events will have timestamps which require no configuration. Some sources may need formatting help and some distributed deployments may require explicit timezone configuration for hosts.
Please note: Most adjustments can be affected through $SPLUNK_HOME/etc/bundles/local/props.conf. This is the fastest and most accurate method for customizing time and date recognition. You can train Splunk to recognize a timestamp, but configuring props.conf allows for more precision and faster processing time.
For help with time format, see the UNIX man page for strptime.
If your event contains more than one timestamp, you have the option of telling the Splunk Server which one it should use. This is especially useful with events that contain syslog host-chaining. Positional timestamp extraction is configured in props.conf.
Edit $SPLUNK_HOME/etc/bundles/local/props.conf and add the following stanza:
[source::<path>]
TIME_PREFIX = <regex>
Fill in path to match the full path of your source::. The regex value should indicate whatever data immediately precedes the desired timestamp.
Splunk recognizes the timestamps in the events for these source types and handles them correctly by using the TIME_FORMAT attribute in props.conf. Add the following stanza to $SPLUNK_HOME/etc/bundles/local/props.conf:
[<spec>] TIME_PREFIX = <regular expression> TIME_FORMAT = <strptime-style format>
<spec> can be:
TIME_PREFIX is a regular expression that points to the space exactly before your event's timestamp. For example, if your timestamp follows the phrase Time=, your regex should specify this part of the event. The timestamping algorithm will only look for a timestamp after the prefix in the event.
TIME_FORMAT specifies a strptime format string to extract the date. The strptime values should match the specific elements of your timestamp, in the correct order, so Splunk understands how to extract the timestamp in the correct format. For help with strptime values, see this page.
Example:
FOR: 04/24/07 PAGE 01
TIME_PREFIX = FOR: TIME_FORMAT = %m/%d/%y
Your logs may contain other information that Splunk parses as timestamps. For example:
1989/12/31 16:00:00 ed May 23 15:40:21 2007
Splunk may extract the date as Dec 31, 1989, which is not useful. In this case, you can configure props.conf to extract the correct timestamp:
[host::foo]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s
TIME_FORMAT = %b %d %H:%M:%S %Y
This entry will fix all timestamps from host::foo.
Please note: This configuration assumes that all timestamps coming in from host::foo will be in the same format. You will want to configure your props.conf stanza to be as granular as possible to avoid potential timestamping errors.
Time zone is set for a particular event in the following way:
TZ is set in props.conf to a valid timezone string, use that as the timezone for the event.
To set TZ in props.conf, add the following stanza to $SPLUNK_HOME/etc/bundles/local/props.conf:
[<spec>] TZ =<posix timezone string>
<spec> can be:
TZ=<posix timezone string> will set your time zone.
Example:
[host::nyc*] # from 2007 onward TZ = EST-5EDT,M3.2.0,M11.1.0
If host matches nyc*, this rule will set Eastern Time Zone.
By default, timestamps in Splunk follow the convention of MM/DD/YYYY:HH:MM:SS. Splunk can be set to use the European date format for timestamps, either permanently (through editing literals.conf) or on a single search basis (by using the timeformat: search modifier).
Please note: The only European date format that Splunk currently supports swaps %m and %d (DD/MM/YYYY:HH:MM:SS). Any other changes to the date string format will cause significant errors in SplunkWeb.
The date format can be set in two ways:
1. Permanently
You can permanently set timestamps to the European format by changing strings in literals.conf.
SEARCH_TERM_TIME_FORMAT key changes the format used by search modifiers, search terms, and SplunkWeb.
Original:
SEARCH_TERM_TIME_FORMAT=%m/%d/%Y:%H:%M:%S
For European date format change the key to:
SEARCH_TERM_TIME_FORMAT= %d/%m/%Y:%H:%M:%S
SEARCH_RESULTS_TIME_FORMAT key will change the format of the date string for events, and the SplunkWeb timeline.
Original:
SEARCH_RESULTS_TIME_FORMAT=%m/%d/%Y:%H:%M:%S
For European date format change the key to:
SEARCH_RESULTS_TIME_FORMAT=%d/%m/%Y:%H:%M:%S
2. Temporarily
You can temporarily set the timestamp to a European format for single search results by using the search modifier timeformat:. All Splunk timestamps have the default format timeformat:%m/%d/%Y:%H:%M:%S. Set the format of the date to the European date format by swapping the %m and %d parts of the argument string. Pipe your search to timeformat: in the search bar or CLI. This will cause the results to display the specified time format.
Example:
$YOUR_SEARCH | timeformat::%d/%m/%Y:%H:%M:%S"