i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the time_prefix and time_format for below events.
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x86_64 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02
M pid 3019
M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys_adm_ext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui_data_trace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db_connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs
Try these props.conf settings:
TIME_FORMAT = %a %b %d %H:%M:%S %Y TIME_PREFIX = ^M\s+ LINE_BREAKER = ()trc file MAX_TIMESTAMP_LOOKAHEAD = 500
You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?
Thanks sshelly for your command.
I have used above TIME_FORMAT and TIME_PREFIX, it is not working
Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.
B dbsync[db_syexe]: wait=0, call_no=14656, current_ts=20171007133452, last_counter=-2132741714