Getting Data In

How to configure props.conf to index a log with two or three timestamps?

Path Finder

In myy log, there are two timestamp formats like this:

logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb

A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.

Tags (2)
0 Karma

Esteemed Legend
0 Karma

0 Karma

Path Finder

Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.

0 Karma


I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.

SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.

AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:

TIME_FORMAT = %y%m%d %H%M%S%3Q

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...