https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426135#M95081 <P>What have you tried so far and what problems are you running into? This is a platform for asking questions, not for asking other people to do your job for you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Jun 2019 13:34:52 GMT FrankVl 2019-06-14T13:34:52Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426134#M95080 <P>Hi All,</P> <P>can anyone help us to figure out magic six for the below sample log?</P> <P>SHOULD_LINEMERGE=<BR /> LINE_BREAKER=<BR /> MAX_TIMESTAMP_LOOKAHEAD=<BR /> TIME_PREFIX=<BR /> TRUNCATE=<BR /> TIME_FORMAT=</P> <P>VersionNumber=7.2 build 13. Maint HF-005,Priority=N/A,LocalTranNumber=I32790D942,RemoteTranNumber=N/A,TransferStartTime=003940,TransferStartDate=20190327,</P> <P>Thanks in Advance!</P> Wed, 30 Sep 2020 00:55:59 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426134#M95080 EHariharan 2020-09-30T00:55:59Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426135#M95081 <P>What have you tried so far and what problems are you running into? This is a platform for asking questions, not for asking other people to do your job for you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Jun 2019 13:34:52 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426135#M95081 FrankVl 2019-06-14T13:34:52Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426136#M95082 <P>The "magic six" are usually defined by you or whomever knows the data. Essentially, you are telling Splunk where to break the events and how to identify the timestamps for indexing. </P> <P>I suggest you do this;</P> <UL> <LI>Identify what constitutes a new event.</LI> <LI>Identify what the timestamp for the event is in the event.</LI> </UL> <P>Just looking at that event, the TIME_FORMAT might look like this:<BR /> <CODE>TIME_PREFIX = TransferStartTime=</CODE><BR /> <CODE>TIME_FORMAT = %H%M%S,TransferStartDate=%Y%m%d</CODE></P> <P>You may not HAVE to use everything form the Magic 6, but you should try to if you can.</P> <P>What I usually do is bring in sample data into a standalone instance (usually running on my laptop) and use the "Add Data" ability to bring in the data and test out props before I deploy them out.</P> Wed, 30 Sep 2020 00:54:59 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426136#M95082 ragedsparrow 2020-09-30T00:54:59Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426137#M95083 <P>I'd move <CODE>TransferStartTime=</CODE> to the TIME_PREFIX setting, other than that I had the same suggestion in mind <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Jun 2019 13:44:48 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426137#M95083 FrankVl 2019-06-14T13:44:48Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426138#M95084 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/157089">@EHariharan</a> ,<BR /> The answer provided by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/102823">@ragedsparrow</a> is how you should approach data onboarding. However, if you're the one tasked with owning the data, and you're just given some events you might try these values:<BR /> <PRE><BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = ([\r\n]+)<BR /> TIME_PREFIX = TransferStartTime=<BR /> TIME_FORMAT = %H%M%S,TransferStartDate=%Y%m%d<BR /> TRUNCATE = 10000<BR /> MAX_TIMESTAMP_LOOKAHEAD = 40<BR /> </PRE></P> Wed, 30 Sep 2020 00:56:06 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426138#M95084 jnudell_2 2020-09-30T00:56:06Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426139#M95085 <P>Yeah, that is much better. Modified my answer to reflect that.</P> Fri, 14 Jun 2019 13:54:53 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426139#M95085 ragedsparrow 2019-06-14T13:54:53Z https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426140#M95086 <P>Thanks, jnudell_2. It worked </P> <P>Also, I would like to thank ragedsparrow and FrankVl .</P> Fri, 14 Jun 2019 14:52:26 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf/m-p/426140#M95086 EHariharan 2019-06-14T14:52:26Z