How to configure props.conf for my sample data to ...

splunk47 · ‎02-22-2015

Sample Log Data:

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

How should I configure props.conf to take 150121101834794 as the timestamp and break the event after that.

satishsdange · ‎02-23-2015

Please try below

[logs]
TIME_PREFIX = 1\sI\s+
TIME_FORMAT = %y%m%d%H%M%S%3N

klee310 · ‎02-23-2015

ya, I think this should work - but the text-formatting on this site seems to have messed up the answer here (for TIME_PREFIX).. it should instead be TIME_PREFIX = 1\s|\s+

but then again, you'll need to confirm the 1 | always appear just before the date/time string - otherwise you'll probably be better off using MAX_TIMESTAMP_LOOKAHEAD = ### - ### is some number of characters into the event Splunk should look for a timestamp

Ayn · ‎02-23-2015

Is "150121101834794" a static string?

splunk47 · ‎02-23-2015

yes this is basically a complete event

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

this 150121101834794 is time given in event .. after this a new event is start with a same pattren
we have used time format for this event %y%m%d%H%M%S%3N

How to configure props.conf for my sample data to recognize the correct timestamp and break the event after that?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to configure props.conf for my sample data to recognize the correct timestamp and break the event after that?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES