Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the timestamp configuration on below event types.

lksridhar
Explorer
‎12-12-2017 05:27 AM

Hi Folks,

i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the time_prefix and time_format for below events.

trc file: "dev_w0", trc level: 1, release: "742"

*
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
*
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x86_64 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02
M pid 3019
M
M

M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys_adm_ext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui_data_trace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M

M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db_connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2017 06:57 AM

Try these props.conf settings:

TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+
LINE_BREAKER = ()trc file
MAX_TIMESTAMP_LOOKAHEAD = 500
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lksridhar
Explorer
‎12-15-2017 02:34 AM

I have tried above command it is not working and struggling to configure the time stamp configuration,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2017 10:50 AM

You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎12-12-2017 08:58 AM 
TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+

I don't know how you want to break your events though. Can u tell me the first/last line in an event??
0 Karma
Reply

lksridhar
Explorer
‎12-13-2017 03:03 AM

Thanks sshelly for your command.

I have used above TIME_FORMAT and TIME_PREFIX, it is not working

Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.

trc file: "dev_w0", trc level: 1, release: "742"

B dbsync[db_syexe]: wait=0, call_no=14656, current_ts=20171007133452, last_counter=-2132741714

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...