Solved: Can't extract simple YYYYMMDD data to be event dat...

philip_wong · ‎08-05-2014

I have PSV files in such format. Date is in 2nd column.
Haven't spent much time to try different setting, but Splunk still took file modified time as event time stamp. I'm stilling asking myself what's wrong with "TIME_FORMAT= %Y%m%d"??

Anyone can help to see what's wrong of my props.conf?

foo|20131201|bar|...

[unixops:sitelog]
SHOULD_LINEMERGE = false
TIME_FORMAT= %Y%m%d
LEARN_MODEL = false
INDEXED_EXTRACTIONS = PSV
FIELD_NAMES = host,date,log,message_type,region,city,campus,building,status,personality

philip_wong · ‎08-06-2014

It works now. A silly mistake...

I didn't pay attention TIME_PREFIX is regex based.
So the answer is

TIME_PREFIX = \|

Thanks helping me!

View solution in original post

philip_wong · ‎08-06-2014

It works now. A silly mistake...

I didn't pay attention TIME_PREFIX is regex based.
So the answer is

TIME_PREFIX = \|

Thanks helping me!

strive · ‎08-06-2014

Good to know that it worked. Dont forget to accept the answer 🙂

strive · ‎08-05-2014

In your case, you need to set TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD. Check the props.conf documenattion
http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/Propsconf

TIME_PREFIX = foo|

MAX_TIMESTAMP_LOOKAHEAD = 12

Try these. Change the values as required.

strive · ‎08-05-2014

Can you tell what will be there before |20131201. Is it one word or multiple words separated by |.

philip_wong · ‎08-05-2014

"foo" is not fixed value.

I did try TIME_PREFIX = | and MAX_TIMESTAMP_LOOKAHEAD = 50 , still didn't work

Can't extract simple YYYYMMDD data to be event date...

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout