Solved: Can you help me out with the time settings in this...

daniel333 · ‎06-22-2016

All,

So here is my log -

date="[22/Jun/2016:17:25:05 +0000]" xff="166.170.220.3"

It's well formated. I am just not sure how to handle the ="[ component?

woodcock · ‎06-22-2016

Like this:

props.conf:

TIME_PREFIX = date="\[
TIME_FORMAT = %d/%b/%Y:%H:%M:%s %z
MAX_TIMESTAMP_LOOKAHEAD = 26

View solution in original post

woodcock · ‎06-22-2016

Like this:

props.conf:

TIME_PREFIX = date="\[
TIME_FORMAT = %d/%b/%Y:%H:%M:%s %z
MAX_TIMESTAMP_LOOKAHEAD = 26

daniel333 · ‎06-24-2016

Thanks! Worked like a charm.

muebel · ‎06-22-2016

Hi daniel333, You can use TIME_PREFIX props setting to tell splunk the pattern that precedes the timestamp, i.e.

TIME_PREFIX = date="\[

You can then set the MAX_TIMESTAMP_LOOKAHEAD to match the expected number of characters, i.e.

MAX_TIMESTAMP_LOOKAHEAD = 27

This should be effective to cause splunk to correctly assign a time to the event, but if not you can use TIME_FORMAT and work out the strftime setting that matches the timestamp.

Please let me know if this answers your question!

splunk_force_as · ‎06-22-2016

You could edit the props.conf's following configs to handle that:

TIME_PREFIX =

MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =

These can be edited under $SPLUNK_HOME/etc/system/local OR in an app under $SPLUNK_HOME/etc/apps depending on your setup.

Can you help me out with the time settings in this props.conf?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application