Getting Data In

How to configure the timestamp configuration on below event types.

lksridhar
Explorer

Hi Folks,

i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the time_prefix and time_format for below events.


trc file: "dev_w0", trc level: 1, release: "742"

*
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
*
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x86_64 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02
M pid 3019
M
M

M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys_adm_ext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui_data_trace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M

M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db_connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try these props.conf settings:

TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+
LINE_BREAKER = ()trc file
MAX_TIMESTAMP_LOOKAHEAD = 500
---
If this reply helps you, Karma would be appreciated.
0 Karma

lksridhar
Explorer

I have tried above command it is not working and struggling to configure the time stamp configuration,

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee
TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+

I don't know how you want to break your events though. Can u tell me the first/last line in an event??
0 Karma

lksridhar
Explorer

Thanks sshelly for your command.

I have used above TIME_FORMAT and TIME_PREFIX, it is not working

Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.


trc file: "dev_w0", trc level: 1, release: "742"

B dbsync[db_syexe]: wait=0, call_no=14656, current_ts=20171007133452, last_counter=-2132741714

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...