Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf to index a log with two or three timestamps?

dovelsh12223621
Path Finder
‎06-02-2015 12:22 AM

In myy log, there are two timestamp formats like this:

logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb

A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-06-2015 12:19 AM

Check out these 2 blogs; it is not too difficult:

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

http://blogs.splunk.com/2014/04/23/its-that-time-again/

0 Karma
Reply

stephane_cyrill
Builder
‎06-02-2015 12:32 AM

HI ,
see how to to it with TIME_FORMAT in props.conf

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition

0 Karma
Reply

dovelsh12223621
Path Finder
‎06-02-2015 12:44 AM

Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.

0 Karma
Reply

stephane_cyrill
Builder
‎06-02-2015 01:10 AM

I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.

SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.

AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:

[source::]
TIME_PREFIX = ][
TIME_FORMAT = %y%m%d %H%M%S%3Q

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...