Solved: How can I take the second timestamp in props.conf?

lorscardala985 · ‎07-21-2023

how can i in the props.conf file tell Splunk to take the second timestamp as opposed to the first

isoutamo · ‎07-21-2023

In this case you could try something like

^(\w+[\s:\.]+){9}

on your TIME_PREFIX. I assume that 1st timestamp field is first characters on your log entry. If not then ^ should be fixed to match where this starts.

View solution in original post

isoutamo · ‎07-21-2023

Hi

this depends on your log file's content. Can you share it?

In common level you could add TIME_PREFIX on your props.conf to recognise correct place where your timestamp starts. See more from here https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/Configuretimestamprecognition

r. Ismo

lorscardala985 · ‎07-21-2023

i have events with this timestamp Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 and i want to view only the second timestamp

isoutamo · ‎07-21-2023

In this case you could try something like

^(\w+[\s:\.]+){9}

on your TIME_PREFIX. I assume that 1st timestamp field is first characters on your log entry. If not then ^ should be fixed to match where this starts.

How can I take the second timestamp in props.conf?

props.conf

transforms.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?