Getting Data In

How to configure props.conf to index a log with two or three timestamps?

Path Finder

In myy log, there are two timestamp formats like this:

logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb

A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.

Tags (2)
0 Karma

Esteemed Legend
0 Karma

0 Karma

Path Finder

Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.

0 Karma

I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.

SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.

AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:

TIME_FORMAT = %y%m%d %H%M%S%3Q

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!