Hi @richgalloway ,

i tried the below props.conf
TIME_FORMAT =%m/%d/%Y %H:%M:%S.%2N
TIME_PREFIX = ^
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false

I am getting the below error for the header
"failed to parse timestamp, defaulting to file modtime", how to fix this?

Hi @Roy_9 ,

I think you won't be able to use %N variable different from the available ones:

Hope this helps you, have a good day,

Fabrizio

Hello @LRF / @richgalloway 

It is n't working even after applying %N or %3N to the time format, I am seeing the error like below.

could not use strp time to parse timestamp from "Timestamp process                    TID           Area                       ".

Any help would be highly appreciated.

Hi @Roy_9 ,

My bad, I did not understand where you were having the issue.

Splunk is giving you that error because header doesn't have a timestamp and can't interpret it.

To prevent this, you should remove the header with SEDCM (props.conf) or combining props.conf and transforms to discard that specific line.

Hope this helps you, have a nice day,

Fabrizio

Thank you for the info, can you help me with the SEDCM Command in order to remove the header? I don’t know how to use it with the props.conf.

place the following in the props.conf file:

SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g

General sintax explained in the props.conf documentation: 

    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.

 Hope this helps, have a nice day,

Fabrizio

Thank you so much @LRF  and just a quick question 

What if we want to make this events structured, if we want to get the values with respect to each field let's say under process, process value should be displayed,
under TID,  TID value should be displayed, like the same way i wanted for area, category, Event ID Level, Message and correlation.

With your dataset, it is difficult to use any indexed extraction or similar in props.conf

for reference:

INDEXED_EXTRACTIONS = <CSV|TSV|PSV|W3C|JSON|HEC>

I would personally find a pattern to parse the logs at search time and generate the field extractions for each field

 Hope this helps, have a nice day,

Fabrizio

I just applied the below to the props.conf but still seeing the same error, unable to remove the header.

SEDCMD-removeheader

Thanks

Hi @Roy_9 ,

have you specified the entire configuration?

SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g

I tested it in the Add data preview and the header gets correctly removed as you can see below:

Also, header removal won't be applied to already ingested data

Hope this helps you, have a nice day,

Fabrizio

Yeah, for some reason, header is not getting removed, I am manually testing it by uploading through Add data section via UI, it is not already indexed.

If you don't mind, can you copy your props.conf stanza and put it here so that i will compare with mine and see if something is missing.

Note that SEDCMD replaces text - it doesn't delete events.  So, in the end, you may still end up with an (empty) event with no timestamp.

To delete the header, use a transform  or Ingest Action that routes the header to nullQueue.

Props.conf:

[mysourcetype]
TRANSFORM-noheader = removeHeader

Transforms.conf:

[removeHeader]
REGEX = ^Timestamp
DEST_KEY = queue
FORMAT = nullQueue

Hi @richgalloway ,

I agree with the transforms/props solution.

I further tested the SEDCMD solution and saw that (at least on my instance) is working as expected.

Is there any known mechanism that automatically remove that empty line? 

that's my sourcetype:

[TestmylogRemoveHeader]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g
SHOULD_LINEMERGE = false
category = Custom
pulldown_type = true

Produced result:

Any suggestion is highly appreciated! I'll eventually use the props/transforms as preferred method for these cases.

Have a nice day!
Fabrizio

I agree with @LRF   The problem is the log header line doesn't have a timestamp (and doesn't need one).  You can ignore the error or, as suggested, remove it.