https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498448#M84952 <P>Hi,</P> <P>we have a syslog message like:<BR /> Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage</P> <P>with a sedcmd I can remove the first part until the year.<BR /> Then I have:<BR /> 2020-20-03 16:27:02,486 hostname messsage</P> <P>If there is another timestring in the message I have to us TIME_RPEFIX in props.conf. <BR /> What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex?</P> <P>What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event?</P> <P>Torsten </P> Fri, 20 Mar 2020 16:04:05 GMT tfechner 2020-03-20T16:04:05Z https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498448#M84952 <P>Hi,</P> <P>we have a syslog message like:<BR /> Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage</P> <P>with a sedcmd I can remove the first part until the year.<BR /> Then I have:<BR /> 2020-20-03 16:27:02,486 hostname messsage</P> <P>If there is another timestring in the message I have to us TIME_RPEFIX in props.conf. <BR /> What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex?</P> <P>What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event?</P> <P>Torsten </P> Fri, 20 Mar 2020 16:04:05 GMT https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498448#M84952 tfechner 2020-03-20T16:04:05Z https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498449#M84953 <P><CODE>SEDCMD</CODE> comes after <CODE>TIME_PREFIX</CODE>. See <A href="https://www.aplura.com/assets/pdf/props_conf_order.pdf">https://www.aplura.com/assets/pdf/props_conf_order.pdf</A></P> Fri, 20 Mar 2020 16:53:44 GMT https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498449#M84953 richgalloway 2020-03-20T16:53:44Z https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498450#M84954 <P>so first is: line_breaker,<BR /> then time_prefix and time string<BR /> then I strip with sedcmd</P> <P>when will the event merged together in case of multiline events?</P> Wed, 30 Sep 2020 04:40:22 GMT https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498450#M84954 tfechner 2020-09-30T04:40:22Z https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498451#M84955 <P>That happens in the Aggregation Queue (before SEDCMD).</P> Fri, 20 Mar 2020 18:01:48 GMT https://community.splunk.com/t5/Getting-Data-In/order-of-parsing-sedcmd-and-time-prefix/m-p/498451#M84955 richgalloway 2020-03-20T18:01:48Z