Re: How to configure props.conf for my sample data...

splunk47 · ‎02-22-2015

Sample Log Data:

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

How should I configure props.conf to take 150121101834794 as the timestamp and break the event after that.

satishsdange · ‎02-23-2015

Please try below

[logs]
TIME_PREFIX = 1\sI\s+
TIME_FORMAT = %y%m%d%H%M%S%3N

klee310 · ‎02-23-2015

ya, I think this should work - but the text-formatting on this site seems to have messed up the answer here (for TIME_PREFIX).. it should instead be TIME_PREFIX = 1\s|\s+

but then again, you'll need to confirm the 1 | always appear just before the date/time string - otherwise you'll probably be better off using MAX_TIMESTAMP_LOOKAHEAD = ### - ### is some number of characters into the event Splunk should look for a timestamp

Ayn · ‎02-23-2015

Is "150121101834794" a static string?

splunk47 · ‎02-23-2015

yes this is basically a complete event

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

this 150121101834794 is time given in event .. after this a new event is start with a same pattren
we have used time format for this event %y%m%d%H%M%S%3N

How to configure props.conf for my sample data to recognize the correct timestamp and break the event after that?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!