Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fixed Format Records - Timestamp Extraction Issues

himynamesdave
Contributor
‎05-07-2015 12:18 AM

Guys,

This is probably a simple answer, but I'm struggling to get it right 😞

I have events of fixed length - each event is 775 chars long. Fine. Each event is on a new line also.

The timestamp in the event is in %Y%m format. This timestamp always starts in the 15th character position of the event - 15, 16, 17, 18 = year. 19, 20 = month (i have pasted two events below where timestamp = 201301). I'm happy to snap the day to 01 of the month. I know this is not ideal for Splunk.

So at index time I set the following in props.conf

TIME_PREFIX=(.){15}
MAX_TIMESTAMP_LOOKAHEAD=6
TIME_FORMAT=%Y%m
SHOULD_LINEMERGE=false
LINE_BREAKER= .{775}()
MAX_DAYS_AGO=3650

I have included max days ago due to the events age.

But this does not work. I have tried changing the number for time prefix, lookahead, etc to no avail. Attached is a sample of 2 events. If anyone can help me out to get the timestamp extracted, it will be a great day!

Thanks!

sample-event.txt.zip
0 Karma
Reply

gwiley_splunk
Splunk Employee
Splunk Employee
‎05-07-2015 12:35 AM

I would try setting:

TIME_PREFIX = (.){14}
MAX_TIMESTAMP_LOOKAHEAD = 21

Given that the timestamp begins on the 15th character so there would only be 14 characters prefix and I think you ought to lookahead to at least the character position marking the end of the timestamp.

Cheers, Greg.

0 Karma
Reply

himynamesdave
Contributor
‎05-07-2015 12:51 AM

Thanks, Greg. But this doesn't work either 😞

0 Karma
Reply

gwiley_splunk
Splunk Employee
Splunk Employee
‎05-07-2015 12:52 AM

Ok.

I meant to mention this earlier but try anchoring the TIME_PREFIX. I.e.

TIME_PREFIX = ^(.){14}

Cheers, Greg.

Reply

himynamesdave
Contributor
‎05-07-2015 12:55 AM

I like your perseverance, but still no luck. I feel like Splunk is just rejecting the timestamp because it has no day.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...