https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432887#M170693 <P>Hello</P> <P>i have this event for example:</P> <PRE><CODE>$changeSystemTimeCmd 1533808153 -newTime 1533808153 -oldTime 1533808147 </CODE></PRE> <P>i need to set the timestamp to take the first number after the first string. in this can it is </P> <BLOCKQUOTE> <P>$changeSystemTimeCmd</P> </BLOCKQUOTE> <P>but it can be any string.<BR /> i tried with timestamp lookahead 30 but the problem is that i can't know what will be the length of this first string<BR /> how can i set timestamp lookahead regex to take the first number after first string ?</P> Tue, 18 Jun 2019 12:02:37 GMT sarit_s 2019-06-18T12:02:37Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432887#M170693 <P>Hello</P> <P>i have this event for example:</P> <PRE><CODE>$changeSystemTimeCmd 1533808153 -newTime 1533808153 -oldTime 1533808147 </CODE></PRE> <P>i need to set the timestamp to take the first number after the first string. in this can it is </P> <BLOCKQUOTE> <P>$changeSystemTimeCmd</P> </BLOCKQUOTE> <P>but it can be any string.<BR /> i tried with timestamp lookahead 30 but the problem is that i can't know what will be the length of this first string<BR /> how can i set timestamp lookahead regex to take the first number after first string ?</P> Tue, 18 Jun 2019 12:02:37 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432887#M170693 sarit_s 2019-06-18T12:02:37Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432888#M170694 <P>Hi,</P> <P>You can use below configuration on Indexer/Heavy Forwarder whichever comes from UF to setup timestamp at index time if you don't have any whitespace in first string.</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] TIME_FORMAT=%s TIME_PREFIX=^(?:[^\s]+)\s MAX_TIMESTAMP_LOOKAHEAD=10 </CODE></PRE> Tue, 18 Jun 2019 12:18:18 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432888#M170694 harsmarvania57 2019-06-18T12:18:18Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432889#M170695 <P>i don't have indexer or HF<BR /> im running on all in one configuration so the sourcetype configuration located on props.conf in the app</P> <P>it is working ! can you please explain why MAX_TIMESTAMP_LOOKAHEAD=10 ?</P> Wed, 30 Sep 2020 00:59:56 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432889#M170695 sarit_s 2020-09-30T00:59:56Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432890#M170696 <P>If you are running standalone splunk instance then also it will work. I have tested same config in Add Data in my lab splunk instance and it is working for me. </P> <P><CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> will count after <CODE>TIME_PREFIX</CODE>, in above config <CODE>TIME_PREFIX</CODE> regex cover till first whitespace so this <CODE>$changeSystemTimeCmd</CODE> is captured with TIME_PREFIX regex and after that you have 10 digit epoch time format so I have given 10 in <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE></P> Wed, 30 Sep 2020 00:59:59 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432890#M170696 harsmarvania57 2020-09-30T00:59:59Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432891#M170697 <P>thanks for your answer<BR /> it is working</P> <P>i see it is also work without MAX_TIMESTAMP_LOOKAHEAD <BR /> the thing is that im afraid that the epoch time will be with more than 10 digits so if it is not necessary to limit i think it will be better</P> <P>what do you think ?</P> Wed, 30 Sep 2020 01:00:01 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432891#M170697 sarit_s 2020-09-30T01:00:01Z https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432892#M170698 <P>If you do not set <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> then it will take default value which is 128 character, I'll suggest to define <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> with max length of your epoch time.</P> Tue, 18 Jun 2019 12:35:56 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-lookahead/m-p/432892#M170698 harsmarvania57 2019-06-18T12:35:56Z