topic Re: Time_PREFIX for Props.conf with unstructured text file in Getting Data In

Time_PREFIX for Props.conf with unstructured text file

SplunkDash — Fri, 25 Jun 2021 04:37:17 GMT

Hi There,

Here is a segment of my sample data . Data is in text format. My Props.conf file has also been provided below. I have some issues to figure out what I would write in TIME_PREFIX for my PROPS.Conf file (please see below). Any help will be highly appreciated, thank you.

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n]+)

CHARSET=UTF-8

TIME_PREFIX=

TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N

MAX_TIMESTAMP_LOOKAHEAD=18

Thank you and Regards,

Re: Time_PREFIX for Props.conf with unstructured text file

venkatasri — Fri, 25 Jun 2021 05:26:45 GMT

Hi @SplunkDash

Its bit tricky to find from screenshot only prefix of time you have is space which is \s, you can try something as follows, you shall change other params as well. If your text event having pre-determined spaces before timestamp just use the exact number.. something like if you have fixed 10 spaces \s{10}.

TIME_PREFIX = \s{6,}

MAX_TIMESTAMP_LOOKAHEAD = 23

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3Q

----

An upvote would be appreciated and accept solution if it helps!

Re: Time_PREFIX for Props.conf with unstructured text file

SplunkDash — Fri, 25 Jun 2021 05:36:11 GMT

Hi venkatasri,

Thank you for your quick response, appreciated. Unfortunately, it's not a fixed space...it varies from 2 to 20+.... please see another segment of sample data.

Re: Time_PREFIX for Props.conf with unstructured text file

venkatasri — Fri, 25 Jun 2021 05:53:40 GMT

Hi @SplunkDash

I do not find a possibility to set TIME_PREFIX for your case i would rather leave the timestamp detection to Splunk, splunk is able to detect if you do not set any TIME* related conf.

Re: Time_PREFIX for Props.conf with unstructured text file

SplunkDash — Fri, 25 Jun 2021 06:00:43 GMT

Then what would be my PROPS.CONF file........

Re: Time_PREFIX for Props.conf with unstructured text file

venkatasri — Fri, 25 Jun 2021 06:35:28 GMT

@SplunkDash Test with following and see how timestamp is being set by Splunk. Additionally you can set TZ which is a timezone if your event timezone is different from indexer.

SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)

----

An upvote would be appreciated and accept solution if it helps!

Re: Time_PREFIX for Props.conf with unstructured text file

SplunkDash — Fri, 25 Jun 2021 06:41:00 GMT

Thank you so much, appreciated!

Re: Time_PREFIX for Props.conf with unstructured text file

venkatasri — Fri, 25 Jun 2021 07:16:22 GMT

@SplunkDash please accept solution if it helps!