Configure timestamp recognition

Configure timestamp recognition

Most events don't require any special timestamp handling. Splunk automatically recognizes and extracts their timestamps. However, for some sources and distributed deployments, you might need to configure how Splunk extracts timestamps, so that they format properly.

There are two ways to configure timestamp extraction:

• Use the data preview feature to interactively adjust timestamps on sample data. Once you're happy with the results, you can save the changes to a new source type and then apply that source type to your data inputs. See the chapter "Preview your data".

• Edit props.conf directly. For information on how to edit props.conf for timestamp extraction, read on!

Splunk's timestamp processor

Splunk's timestamp processor is located by default in $SPLUNK_HOME/etc/datetime.xml. You ordinarily do not need to touch this file, unless you're dealing with unusual, custom timestamps. If you need to configure timestamp recognition in some way, you can usually make the necessary changes by setting props.conf timestamp attributes, as described below.

If you have a custom timestamp that can't be handled by configuring props.conf, you can substitute your own timestamp processor with the DATETIME_CONFIG attribute, described in the next section. This attribute specifies the file Splunk should use for timestamp processing.

Edit timestamp properties in props.conf

To configure how Splunk recognizes timestamps, edit props.conf. There are a number of attributes that pertain to timestamps. In particular, you can determine how Splunk recognizes a timestamp by using the TIME_FORMAT attribute to specify a strptime() format for the timestamp. You can also set other attributes pertaining to timestamps; for example, to specify where a timestamp is located in an event, what time zone to use, or how to deal with timestamps of varying currency.

Edit the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files" in the Admin manual.

To set Splunk's timestamp recognition, configure one or more of the timestamp attributes in props.conf. Refer to the props.conf specification file for detailed information regarding these and other attributes.

Syntax overview

Here's an overview of the syntax for the timestamp attributes:

[<spec>]
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
TIME_PREFIX = <regular expression>
MAX_TIMESTAMP_LOOKAHEAD = <integer>
TIME_FORMAT = <strptime-style format>
TZ = <posix time zone string>
MAX_DAYS_AGO = <integer>
MAX_DAYS_HENCE = <integer>
MAX_DIFF_SECS_AGO = <integer>
MAX_DIFF_SECS_HENCE = <integer>

In this syntax, <spec> can be:

• <sourcetype>, the source type of an event.
• host::<host>, where <host> is the host value for an event.
• source::<source>, where <source> is the source value for an event.

If an event contains data that matches the value of <spec>, then the timestamp rules specified in the stanza apply to that event. You can have multiple stanzas, to handle different <spec> values.

Timestamp attributes

These are the timestamp attributes settable through props.conf:

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>

• Specify a file to use to configure Splunk's timestamp processor.
• By default, Splunk uses $SPLUNK_HOME/etc/datetime.xml as the timestamp processor.
• Under normal circumstances, you will not need to create your own timestamp processor file or modify Splunk's default datetime.xml file. The other props.conf attributes, described in this topic, can usually tweak Splunk's timestamp recognition capability to meet your needs. However, if your data has a custom timestamp format, you might need to substitute your own version of this file.
• Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk does not look at the text of the event for the timestamp--it instead uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs, this means that Splunk derives the event timestamp from the modification time of the input file.
• Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.

TIME_PREFIX = <regular expression>

• When set, Splunk looks for a match for this regex in the event text before attempting to extract a timestamp. The timestamp algorithm only looks for a timestamp in the event text that follows the end of the first regex match.
• You should use a regular expression that points exactly before your event's timestamp. For example, if the timestamp follows the phrase abc123 in your events, you should set TIME_PREFIX to abc123.
• If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place.
• Defaults to empty string.

MAX_TIMESTAMP_LOOKAHEAD = <integer>

• Specify how far (how many characters) into an event Splunk should look for a timestamp.
• This constraint is applied starting from the location positioned by TIME_PREFIX.
  • For example, if TIME_PREFIX positions a location 11 characters into the event, and MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 11 through 20.
• If set to 0 or -1, the length constraint for timestamp recognition is effectively disabled. This can have negative performance implications which scale with the length of input lines (or with event size when LINE_BREAKER is redefined for event splitting).
• Default is 150 characters.

TIME_FORMAT = <strptime-style format>

• Specifies a strptime() format string to extract the timestamp.
• strptime() is a Unix standard for designating time formats. For more information, see the section "Enhanced strptime() support", below.
• TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute). If you use a TIME_PREFIX, it must match up to and including the character before the timestamp begins. If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime. (It's possible that you will still end up with a valid timestamp, based on how Splunk attempts to recover from the problem.)
• For best results, the <strptime-style format> should describe the day of the year and the time of day.
• If <strptime-style format> contains an hour component, but no minute component, TIME_FORMAT ignores the hour component. It treats the format as an anomaly and considers the precision to be date-only.
• Default is empty.

TZ = <time zone identifier>

• Splunk's logic for determining a particular event's time zone is as follows:
  • If the event has a time zone in its raw text (such as UTC or -08:00), use that.
  • Otherwise, if TZ is set to a valid time zone string, use that. Specify a time zone setting using a value from the zoneinfo TZ database.
  • Otherwise, use the time zone of the system that is running splunkd.
• For more details and examples, see "Specify time zones of timestamps", in this manual.
• Defaults to empty.

MAX_DAYS_AGO = <integer>

• Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid.
• For example, if MAX_DAYS_AGO = 10, Splunk ignores dates older than 10 days from the current date.
• Default is 2000; maximum is 10951.
• Note: If you have data that is more than 2000 days old, increase this setting.

MAX_DAYS_HENCE = <integer>

• Specifies the maximum number of days in the future from the current date that an extracted date can be valid.
• For example, if MAX_DAYS_HENCE = 3, dates that are more than 3 days in the future are ignored.
• Important: False positives are less likely with a tighter window; change with caution.
• If your servers have the wrong date set or are in a time zone that is one day ahead, set this value to at least 3.
• Defaults to 2. This allows timestamp extractions that are up to a day in the future. Maximum is 10950.

MAX_DIFF_SECS_AGO = <integer>

• If the event's timestamp is more than <integer> seconds before the previous timestamp, Splunk only accepts it if it has the same time format as the majority of timestamps from the source.
• Important: If your timestamps are wildly out of order, consider increasing this value.
• Defaults to 3600 (one hour), maximum is 2147483646.

MAX_DIFF_SECS_HENCE = <integer>

• If the event's timestamp is more than <integer> seconds after the previous timestamp, Splunk only accepts it if it has the same time format as the majority of timestamps from the source.
• Important: If your timestamps are wildly out of order, or if you have logs that are written less than once a week, consider increasing this value.
• Defaults to 604800 (one week), maximum is 2147483646.

Enhanced strptime() support

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table:

%N	For GNU date-time nanoseconds. Specify any sub-second parsing by providing the width: %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.
%Q,%q	For milliseconds, microseconds for Apache Tomcat. %Q and %q can format any time resolution if the width is specified.
%I	For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
%+	For standard Unix date format timestamps.
%v	For BSD and OSX standard date format.
%Z, %z, %::z, %:::z	GNU libc support.
%o	For AIX timestamp support (%o used as an alias for %Y).
%p	The locale's equivalent of AM or PM. (Note: there may be none.)

strptime() format expression examples

Here are some sample date formats, with the strptime() expressions that handle them:

1998-12-31	%Y-%m-%d
98-12-31	%y-%m-%d
1998 years, 312 days	%Y years, %j days
Jan 24, 2003	%b %d, %Y
January 24, 2003	%B %d, %Y
q|25 Feb '03 = 2003-02-25|	q|%d %b '%y = %Y-%m-%d|

Note: Splunk does not currently recognize non-English month names in timestamps. If you have an app that's writing non-English month names to log files, reconfigure the app to use numerical months, if possible.

Examples

Your data might contain an easily recognizable timestamp, such as:

...FOR: 04/24/07 PAGE 01...

To extract that timestamp, add this stanza in props.conf:

[host::foo]
TIME_PREFIX = FOR: 
TIME_FORMAT = %m/%d/%y

Your data might contain other information that Splunk parses as timestamps, for example:

...1989/12/31 16:00:00 ed May 23 15:40:21 2007...

Splunk extracts the date as Dec 31, 1989, which is not useful. In this case, configure props.conf to extract the correct timestamp from events from host::foo:

[host::foo]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s
TIME_FORMAT = %b %d %H:%M:%S %Y

This configuration assumes that all timestamps from host::foo are in the same format. Configure your props.conf stanza to be as granular as possible to avoid potential timestamping errors.

For detailed information on extracting the correct timestamp from events containing multiple timestamps, see "Configure timestamp assignment for events with multiple timestamps".

Configure timestamps for specific needs

You can use the attributes described in this topic to configure Splunk's timestamp extraction processor for some specialized purposes, such as:

• To apply time zone offsets.
• To pull the correct timestamp from events with more than one timestamp.
• To improve indexing performance.

Configure how timestamps appear in search results

You can use your browser's locale setting to configure how the browser formats Splunk timestamps in search results. For information on setting the browser locale, see "User language and locale".

Reconfigure how timestamps appear in raw data

Even though Splunk uses the browser locale to configure how timestamps appear in search results, the data still remains in its original format in the raw data. You might want to change this, so that the data format is standardized in both raw data and search results. You can do this by means of props.conf and transforms.conf. Here's an example:

Assume the timestamp data in the raw event looks like this:

06/07/2011 10:26:11 PM

but you want it to look like this (to correspond with how it appears in search results):

07/06/2011 10:26:11 PM

This example shows briefly how you can use props.conf and transforms.conf to transform the timestamp in the raw event.

In transforms.conf, add this stanza:

[resortdate]
REGEX = ^(\d{2})\/(\d{2})\/(\d{4})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw 

In props.conf, add this stanza, where <spec> qualifies your data:

[<spec>]
TRANSFORMS-sortdate = resortdate

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around timestamp recognition and configuration.

• Was this topic useful?
• Post a comment