Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to build props.conf?

Roy_9
Motivator
‎04-04-2023 08:45 PM

Hello,

I m trying to build the props.conf for the below log but when i am getting "failed to parse timestamp" and "defaulting to file modtime" error.

 

[test]
TIME_PREFIX = \["BS":
TIME_FORMAT = %Y-%m-%d %H-%M-%S.%3N
LINE_BREAKER = \}
SHOULD_LINEMERGE = true
TRUNCATE = 100000

 


below is the log sample
 

 

["BS":"2023-04-04 20-10-45.013", MessageID:"test-7657-99", UID="xy123-bc22"]
 {
 xyz
 }
["BS":"2023-04-04 20-10-46.013", MessageID:"test-7687-99", UID="xy123-bc22"]
 {
 abc
 }

 


              

Please help me with it


Thanks

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 02:11 AM

OK, first and foremost - what is your architecture? Are you ingesting data with UF? HF? Sending directly to Cloud HEC input?

Because _what_ is in your props.conf is one thing but _where_ it should be placed is another.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-06-2023 05:51 PM

Your LINE_BREAKER is invalid and SHOULD_LINEMERGE is wrong.  Also, be sure that you are deploying to the first full-instance of Splunk that handles the events (i.e. are you using HF?) Are you sure that the "sourcetype" value is "rest"?  If so:

[test]
TIME_PREFIX = \["BS":
TIME_FORMAT = %Y-%m-%d %H-%M-%S.%3N
LINE_BREAKER = }([\r\n\s]+)\["BS":
SHOULD_LINEMERGE = false
TRUNCATE = 100000

Reply

Roy_9
Motivator
‎04-24-2023 11:05 AM

@woodcock I tried your config by creating the sourcetype directly on splunk cloud but it isn’t working, 

 

timestamp is still getting rounded in the event instead of accurately displaying the timestamp with milli seconds.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-24-2023 12:32 PM

Hi

have you try %3Q instead of %3N? Probably doesn’t help, but maybe worth for try?

r. Ismo

0 Karma
Reply

Roy_9
Motivator
‎04-07-2023 10:40 AM

I am just keeping the sourcetype to test for testing purposes on my stand alone test server, I have applied the below props and i am still getting the error:

couldnot use strptime to parse timestamp from "2023-04-07 11-37-39.354"

Failed to parse timestamp, defaulting to file modtime.

these logs are already being indexed and sent to splunk cloud, we have an on prem HF in place.

is it possible to extract the timestamp from the event directly and apply it to timestamp field at search time?

 

I used the below search but still my timestamp is getting rounded 

index="abc" sourcetype="test"
| rex "\["BS"\":\"(?<event_time>\d{4}-\d{2}-\d{2} \d{2}-\d{2}-\d{2}\.\d{3})\""
| eval timestamp=strptime(event_time,"%Y-%m-%d %H-%M-%S.%3N")

for ex: "2023-04-07 11-37-39.354" is rounded to 4/7/23 11:37:40.000 AM under Time column in search.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 11:35 PM

Hi @Roy_9,

this seems to be a json format, please try with INDEXD_EXTRACTIONS, something like this:

[test]
TIME_PREFIX = \[\"BS\":
TIME_FORMAT = %Y-%m-%d %H-%M-%S.%3N
SHOULD_LINEMERGE = true
INDEXED_EXTRACTIONS = json

in addition the regex for TIME_PREFIX is wrong because also " is a special char to escape.

Ciao.

Giuseppe

Reply

Roy_9
Motivator
‎04-24-2023 11:16 AM

@gcusello It didn’t worked, timestamp is getting rounded to nearest second

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-25-2023 02:05 AM

Hi @Roy_9,

it's really strange: because timestamp extraction doesn't round, it reads the time and assign it to the timestamp; then, if you used %3N, it should take the milliseconds.

Could you share your props.conf?

Ciao.

Giuseppe

0 Karma
Reply

yeahnah
Motivator
‎04-05-2023 12:13 AM

The TIME_PREFIX handles regular expressions so the double quote should not need escaping.  Having said that there is no harm in escaping the double quote.

Also, it does not look like standard JSON format to me so I doubt Splunk would handle it, as it would fail to parse it as JSON.  

Reply

yeahnah
Motivator
‎04-04-2023 09:07 PM

try this

 

[test]
TIME_PREFIX = \["BS":"
TIME_FORMAT = %Y-%m-%d %H-%M-%S.%3N
LINE_BREAKER = \}([\n\r]+)\[
SHOULD_LINEMERGE = false
TRUNCATE = 100000

 

Reply

Roy_9
Motivator
‎04-24-2023 11:08 AM

@yeahnah I tried your config by creating the sourcetype directly on splunk cloud but it isn’t working, 

 

timestamp is still getting rounded in the event instead of accurately displaying the timestamp with milli seconds.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...