Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I edit my props.conf for proper timestamp extraction from my sample log entry?

mark19632
New Member
‎12-14-2015 03:13 PM

I'm having trouble with a log and getting Splunk to recognize the time format.

Here is an example a log entry:

010406:00:530000000000000040RD000001071215

Now, all the entries start with 0104 followed by the time in H:M:S format.

I've added a props.conf to the indexer like this:

[sisfeedlog]
TIME_PREFIX = ^0104
TIME_FORMAT = %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 8

and a props.conf on the server:

[source::...\\SISFeed\\S(\d+\.LOG)]
sourcetype = sisfeedlog

It doesn't seem to be working though as the time isn't being extracted and the sourcetype is coming up as unknown.

Any advise on why it's not working?

Thanks,

Mark

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-14-2015 04:14 PM

Hi mark19632,

when defining a stanza in props.conf you can only use a limited set of regexes:

When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met
    or equivalently, matches any number of characters.
*   matches anything but the path separator 0 or more times.
    The path separator is '/' on unix, or '\' on windows.
    Intended to match a partial or complete directory or filename.
|   is equivalent to 'or'
( ) are used to limit scope of |.

So, your [source::...\\SISFeed\\S(\d+\.LOG)] will not work since \d+ is not supported.
What would work, is this [source::...\\SISFeed\\S*.LOG] but I don't know if this is matching the correct directory..... BTW why don't you set the sourcetype in the servers inputs.conf?

Hope this helps ...

cheers, MuS

PS: your props.conf on the indexer looks fine.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-14-2015 04:14 PM

Hi mark19632,

when defining a stanza in props.conf you can only use a limited set of regexes:

When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met
    or equivalently, matches any number of characters.
*   matches anything but the path separator 0 or more times.
    The path separator is '/' on unix, or '\' on windows.
    Intended to match a partial or complete directory or filename.
|   is equivalent to 'or'
( ) are used to limit scope of |.

So, your [source::...\\SISFeed\\S(\d+\.LOG)] will not work since \d+ is not supported.
What would work, is this [source::...\\SISFeed\\S*.LOG] but I don't know if this is matching the correct directory..... BTW why don't you set the sourcetype in the servers inputs.conf?

Hope this helps ...

cheers, MuS

PS: your props.conf on the indexer looks fine.

0 Karma
Reply
Solved! Jump to solution

mark19632
New Member
‎12-14-2015 10:36 PM

Thanks MUS, I've added it to the inputs.conf and picking up the sourcetype and the time correctly 🙂

Now for the next problem!

The log files are named s*date*.log eg S15122015 .log for today.

When read in the logs are showing as the incorrect date, so 06122015 is being picked up as 12th of July rather than the 6th of December.

Can I change this?

Thanks,

Mark

0 Karma
Reply
Solved! Jump to solution

mark19632
New Member
‎12-16-2015 01:00 AM

I've tried that and it's made no difference unfortuantly

0 Karma
Reply
Solved! Jump to solution

mark19632
New Member
‎12-17-2015 06:05 AM

I fixed it by creating a custom datetime.xml in the end 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-15-2015 11:49 AM

use the TIME_FORMAT = option in props.conf to set the format of your time string to something like this 

 TIME_FORMAT = %d%m%Y

see the docs for more details about the time strings http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Commontimeformatvariables and the props.conf setting http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...