In myy log, there are two timestamp formats like this:
logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb
A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.
Check out these 2 blogs; it is not too difficult:
http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem
HI ,
see how to to it with TIME_FORMAT in props.conf
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.
I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.
SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.
AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:
[source::]
TIME_PREFIX = ][
TIME_FORMAT = %y%m%d %H%M%S%3Q
TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).