Re: How to configure props.conf to index a log wit...

dovelsh12223621 · ‎06-02-2015

In myy log, there are two timestamp formats like this:

logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb

A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.

woodcock · ‎06-06-2015

Check out these 2 blogs; it is not too difficult:

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

http://blogs.splunk.com/2014/04/23/its-that-time-again/

stephane_cyrill · ‎06-02-2015

HI ,
see how to to it with TIME_FORMAT in props.conf

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition

dovelsh12223621 · ‎06-02-2015

Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.

stephane_cyrill · ‎06-02-2015

I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.

SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.

AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:

[source::]
TIME_PREFIX = ][
TIME_FORMAT = %y%m%d %H%M%S%3Q

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).

How to configure props.conf to index a log with two or three timestamps?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!