https://community.splunk.com/t5/Getting-Data-In/Props-conf-Timestamp-extraction-failed/m-p/699298#M115874 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257739">@_olivier_</a>&nbsp;,</P><P>it seems to be a comma separated file, in this case, you must put props.conf also in the UF.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Sep 2024 14:55:42 GMT gcusello 2024-09-17T14:55:42Z https://community.splunk.com/t5/Getting-Data-In/Props-conf-Timestamp-extraction-failed/m-p/699263#M115869 <P>Hi splunkers ! I m facing an issue that is going to make me crazy ! I've got to set the timestamp in the following logs (timestamp field is the 11th field, the first one being the insert time by the proxy himself)&nbsp; : 2024-09-16T13:12:54+02:00 Logging-Client&nbsp;</P><LI-CODE lang="markup">"-1","username","1.2.3.4","POST","872","2211","www.facebook.com","/csp/reporting/","OBSERVED","","1726484997","2024-09-16 11:09:57","https","Social Networking","application/x-empty","","Minimal Risk","Remove 'X-Forwarded-For' Header","200","10.97.5.240","","","Firefox","102.0","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0","firefox.exe","1.2.3.4","443","US","","t","t","t","f","f","computerName","","1.2.3.4","1.2.3.4","8080"</LI-CODE><P>So, I'm using a regex to extract fields and set the real timestamp in my props.conf :&nbsp;</P><LI-CODE lang="markup">[mySourcetype] SHOULD_LINEMERGE = false EXTRACT-mySourcetype = ^[^,\n]*,"(?P\w+)","(?P[^"]+)","(?P\w+)","(?P[^"]+)[^,\n]*,"(?P[^"]+)[^,\n]*,"(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P(?=\s*)|[^"]+)","(?P[^"]+)","(?P[^"]+)","(?P[^"]+)"$ TIME_PREFIX = (?:[^,]+,){11} TIME_FORMAT = %Y-%m-%d %H:%M:%S</LI-CODE><P>&nbsp;</P><P>&nbsp; Then, Ive got different results based on different source:</P><P>Upload a file directly in the search head &nbsp; &nbsp; &nbsp; &nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Extraction&nbsp; &nbsp; <STRONG><FONT color="#339966">Ok &nbsp; &nbsp; &nbsp; &nbsp;</FONT> </STRONG>Timestamp&nbsp; &nbsp; <STRONG><FONT color="#339966">OK </FONT></STRONG></P><P>File red from an universal forwarder &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Extraction&nbsp; &nbsp; &nbsp;<STRONG><FONT color="#339966">OK &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</FONT> </STRONG>Timestamp&nbsp;&nbsp;<FONT face="arial black,avant garde" color="#FF0000">Failed </FONT></P><P>&nbsp;</P><P>The is NO heavy forwarder between the UF and the indexers.</P><P>The props.conf is deployed only on the SearchHeads. So, Something is tricky here !</P><P>&nbsp;</P><P>If someone got an idea, I will apreciate ! Cheers.</P> Tue, 17 Sep 2024 09:21:05 GMT https://community.splunk.com/t5/Getting-Data-In/Props-conf-Timestamp-extraction-failed/m-p/699263#M115869 _olivier_ 2024-09-17T09:21:05Z https://community.splunk.com/t5/Getting-Data-In/Props-conf-Timestamp-extraction-failed/m-p/699298#M115874 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257739">@_olivier_</a>&nbsp;,</P><P>it seems to be a comma separated file, in this case, you must put props.conf also in the UF.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Sep 2024 14:55:42 GMT https://community.splunk.com/t5/Getting-Data-In/Props-conf-Timestamp-extraction-failed/m-p/699298#M115874 gcusello 2024-09-17T14:55:42Z