https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571436#M199134 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>&nbsp;</P><P>You text file is not a qualified CSV as they don't have comma , separated values/header. To use space your event_name having value User Login which is having space that would not extract whole value of event_name.</P><P>one solution would be to drop the header and second line with ------ and use search time field extractions.</P><UL><LI>props shall be configured on HF/indexer to drop the header and ---- lines. ( use nullQueue ),&nbsp;Timestamp extraction you can use regex - TIME_PREFIX = ^\d+\s+\d+\s+\S+\s+ , TIME_FORMAT = &lt;set_here&gt;</LI><LI>props having search-time extractions shall go to SH.</LI></UL><P>In total you need to have two set's of props here.</P><P>--</P><P>An upvote would be appreciated if this reply helps!</P> Tue, 19 Oct 2021 00:46:53 GMT venkatasri 2021-10-19T00:46:53Z https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571428#M199127 <P>&nbsp;</P><P>Hello,</P><P>I have an issue writing props configuration for text source file which contains first 2 line (including "----" line) as header info. Please see 3 sample events along with 2 header lines below. I also included the props that I wrote for this source file, but not working as expected....getting some error message "<STRONG>failed to parse timestamp". </STRONG>Any help will he highly appreciated. Thank you so much.</P><P><STRONG>Sample data</STRONG></P><P>Event_id&nbsp; user_id&nbsp; &nbsp;group_id&nbsp; create_date&nbsp; create_login&nbsp; company_event_id&nbsp; event_name&nbsp;&nbsp;<BR />----------------- ----------- ----------- ----------------------- ------------ ------------------------- --------------<BR />105&nbsp; 346923 NULL&nbsp; 2021-10-07 14:13:21.160 783923 45655234 User Login&nbsp;<BR />250 165223 NULL 2021-10-07 15:33:54.857&nbsp; &nbsp;566923&nbsp; 92557239 User Login&nbsp;<BR />25 1168923 NULL 2021-10-07 16:44:05.257&nbsp; &nbsp;346923&nbsp; 34558242 User Login&nbsp;</P><P class="">&nbsp;</P><P class=""><STRONG>props config file I wrote</STRONG></P><P class="">SHOULD_LINEMERGE=false</P><P class="">INDEXED_EXTRACTIONS=csv</P><P class="">TIMESTAMP_FIELDS=create_date</P><P class="">TIME_FORMAT=%Y-%m-%d&nbsp; %H:%M:%S.%3N</P><P class="">HEADERFIELD_LINE_NUMBER=1</P> Mon, 18 Oct 2021 23:23:44 GMT https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571428#M199127 SplunkDash 2021-10-18T23:23:44Z https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571436#M199134 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>&nbsp;</P><P>You text file is not a qualified CSV as they don't have comma , separated values/header. To use space your event_name having value User Login which is having space that would not extract whole value of event_name.</P><P>one solution would be to drop the header and second line with ------ and use search time field extractions.</P><UL><LI>props shall be configured on HF/indexer to drop the header and ---- lines. ( use nullQueue ),&nbsp;Timestamp extraction you can use regex - TIME_PREFIX = ^\d+\s+\d+\s+\S+\s+ , TIME_FORMAT = &lt;set_here&gt;</LI><LI>props having search-time extractions shall go to SH.</LI></UL><P>In total you need to have two set's of props here.</P><P>--</P><P>An upvote would be appreciated if this reply helps!</P> Tue, 19 Oct 2021 00:46:53 GMT https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571436#M199134 venkatasri 2021-10-19T00:46:53Z https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571452#M199137 <P>Thank you so much for your quick response, appreciated. But, TIME_PREFIX/TIME FORMAT is not working as expected, getting some error message couldn't "parse timestamp". Any help will be appreciated!</P><P><STRONG>I used&nbsp;</STRONG></P><P>TIME_PREFIX=^\d+\s+\d+\s+\w+\s+</P><P>TIME_FORMAT=%Y-%m-%d %H:%M%S.%3N&nbsp;</P> Tue, 19 Oct 2021 02:10:37 GMT https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571452#M199137 SplunkDash 2021-10-19T02:10:37Z https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571453#M199138 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>&nbsp;</P><P>you have a typo in both TIME_PREFIX (capital \S in regex) and TIME_FORMAT (:%S missed). Try this, should work for other lines excluding first two lines.</P><LI-CODE lang="markup">[ __auto__learned__ ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TIME_PREFIX=\d+\s+\d+\s+\S+\s+ TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3Q MAX_TIMESTAMP_LOOKAHEAD=40</LI-CODE><P>&nbsp; ---</P><P>An upvote would be appreciated if this reply helps!</P> Tue, 19 Oct 2021 02:47:24 GMT https://community.splunk.com/t5/Splunk-Search/Props-Configuration-with-for-Text-File-with-First-2-lines/m-p/571453#M199138 venkatasri 2021-10-19T02:47:24Z