topic Re: I would like to get some help to process the following timestamp, included in the example, please: in Getting Data In

I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon — Wed, 01 Oct 2014 12:46:48 GMT

The following is one event of the data:

MACUL     DIRP101 JUL14 00:00:00 5577 INFO DIRP_FLOW_LOG REASON= 15 SSYS#= 2   
           SSNAME= OM   POOL#= 4 VOLUME#= 68 SOS_FILE_ID= 2949 0005 003C   
           TEXT1= SCHEDULED OG ROTATE COMPLETED, RECORDS: 46628    PARM1= 1978   
           TEXT2= VOL: D050OM3, FILE: A140913000088OM, ROTATE:     PARM2= 2A67

I tried using timestamps tab when indexing the data, with not succesful results. I think I have been doing something wrong.

Thanks in advanced!

Re: I would like to get some help to process the following timestamp, included in the example, please:

felipetesta — Wed, 01 Oct 2014 13:37:51 GMT

Hello. Can you tell us exactly which is the timestamp in the example? Is the event multiline exactly as shown? Do your events look all the same? (Same format, same line length, same begin string, ...)

Re: I would like to get some help to process the following timestamp, included in the example, please:

richgalloway — Wed, 01 Oct 2014 13:39:08 GMT

Is 'JUL14 00:00:00' the timestamp field? If so, does it represent 14th July of the current year or something else?

Re: I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon — Wed, 01 Oct 2014 15:56:57 GMT

Hi!

Thanks for the quick answer.

In relation to your questions, the time stamp is: "JUL14 00:00:00".

In fact, the event is multiline. They do not have the same format and line length (unfortunately). They do begin with the word "MACUL" in this log, but the following strings can vary.

The timestamp represents 14th July of the current year.

In addition, this logs come from a Huawei Softx300 softswitch.

Thanks a lot!

Re: I would like to get some help to process the following timestamp, included in the example, please:

richgalloway — Wed, 01 Oct 2014 17:11:34 GMT

Try adding the following to the appropriate stanza of your props.conf file.

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = MACUL
TIME_FORMAT = %b%d %H:%M:%S

Re: I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon — Wed, 01 Oct 2014 18:59:21 GMT

Thanks for the answer, but unfortunately it seems not to be working as expected.

I click on the advanced mode (props.conf) tab and paste the stanza recieved. Bellow there is the result given for the timestamp:

9/25/01 4:51:20.000 PM

Did I do it correctly? I have read about editing the props.conf, but I haven't worked with this yet. I would apreciate you could tell me if I'm doing OK please.

Thanks!

Re: I would like to get some help to process the following timestamp, included in the example, please:

richgalloway — Wed, 01 Oct 2014 19:42:46 GMT

You may need to add a TZ statement to your props file, but your problem appears to be more than that. I wonder if Splunk has a bug processing the %b format string if it is not delimited.

Re: I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon — Fri, 03 Oct 2014 14:43:58 GMT

Hi!

Thanks for your help. It was very usefull in order to solve this issue.

As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:

Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s

Format: Timestamp format (strptime): %b%d %H:%M:%S

On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.,Hi!

Thanks for your help. It was very usefull in order to solve this issue.

As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:

Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s

Format: Timestamp format (strptime): %b%d %H:%M:%S

On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.

Re: I would like to get some help to process the following timestamp, included in the example, please:

richgalloway — Fri, 03 Oct 2014 14:50:57 GMT

I'm glad you got it working. Please accept the answer to help others in future.

Re: I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon — Fri, 03 Oct 2014 14:51:08 GMT

Sorry, but I don't know why the backslash symbol does not appear in my post. For the location pattern, the correct stanza is:

Location: Timestamp is always prefaced by pattern: MACUL(backslash)s+(backslash)S+(backslash)s

Re: I would like to get some help to process the following timestamp, included in the example, please:

richgalloway — Fri, 03 Oct 2014 14:57:52 GMT

Backslash is the escape character. To insert a backslash you can either use two backslashes or enclose your text in backtics (`).