https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126483#M26038 <P>It works now, I used old configuration from your first post...</P> <P>Nikola </P> Tue, 07 Apr 2015 12:41:09 GMT nikolab 2015-04-07T12:41:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126479#M26034 <P>Hi there..</P> <P>I have a big problem with props.conf. I have logs from a server with time format like this..<BR /> 0402 220121.414712...this means MMDD HHMMSS.QQQQQQ<BR /> Need help with Regex for props.conf, respectively I need to convert this string into time.</P> <P>thanks for any help</P> <P>Nikola </P> Fri, 03 Apr 2015 08:09:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126479#M26034 nikolab 2015-04-03T08:09:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126480#M26035 <P>Hi Nikola,</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/HowSplunkextractstimestamps">Splunk can often identify timestamps on its own</A>. Yet we can improve its performance by <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Configuretimestamprecognition">telling Splunk exactly where to find the timestamp (and its format)</A>. </P> <P>In some cases, like the one in your question, Splunk does not recognize the timestamp. Still, we can easily <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/HowSplunkextractstimestamps">instruct Splunk what timestamp to expect</A> using <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables">strptime notation</A>. Bonus: We can also use that notation to format the timestamp as we'd like to see it at search time. </P> <P>Here is a sample props.conf entry you could use to do all of those things (I'm making the assumption the events start with <CODE>0402 220121.414712</CODE> and <CODE>sourcetype=nix-all-logs</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>[nix-all-logs] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\d{4}\s\d{6}\.\d{6} TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=20 TIME_FORMAT=%m%d %H%M%S.%6N EVAL-timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S.%6N") </CODE></PRE> Fri, 03 Apr 2015 12:28:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126480#M26035 bwooden 2015-04-03T12:28:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126481#M26036 <P>bwooden thank you for your answer and effort..<BR /> This was a problem for me..I can do it in search but with props there was a problem..<BR /> I will try this on next week..have a nice day</P> <P>nikola</P> Sat, 04 Apr 2015 13:36:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126481#M26036 nikolab 2015-04-04T13:36:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126482#M26037 <P>Hi bwooden,<BR /> Unfortunately after reconfiguration my props.conf file, the problem persists, time format is still unrecognizable.<BR /> Have you any idea why?</P> <P>Thanks<BR /> Nikola </P> Tue, 07 Apr 2015 12:32:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126482#M26037 nikolab 2015-04-07T12:32:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126483#M26038 <P>It works now, I used old configuration from your first post...</P> <P>Nikola </P> Tue, 07 Apr 2015 12:41:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-to-identify-and-convert-my-sample/m-p/126483#M26038 nikolab 2015-04-07T12:41:09Z