Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the timestamp configuration on below event types.

lksridhar
Explorer
‎12-12-2017 05:27 AM

Hi Folks,

i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the time_prefix and time_format for below events.

trc file: "dev_w0", trc level: 1, release: "742"

*
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
*
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x86_64 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02
M pid 3019
M
M

M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys_adm_ext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui_data_trace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M

M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db_connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2017 06:57 AM

Try these props.conf settings:

TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+
LINE_BREAKER = ()trc file
MAX_TIMESTAMP_LOOKAHEAD = 500
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lksridhar
Explorer
‎12-15-2017 02:34 AM

I have tried above command it is not working and struggling to configure the time stamp configuration,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2017 10:50 AM

You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎12-12-2017 08:58 AM 
TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+

I don't know how you want to break your events though. Can u tell me the first/last line in an event??
0 Karma
Reply

lksridhar
Explorer
‎12-13-2017 03:03 AM

Thanks sshelly for your command.

I have used above TIME_FORMAT and TIME_PREFIX, it is not working

Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.

trc file: "dev_w0", trc level: 1, release: "742"

B dbsync[db_syexe]: wait=0, call_no=14656, current_ts=20171007133452, last_counter=-2132741714

0 Karma
Reply
Get Updates on the Splunk Community!

Important Update to Data Management Pipeline Builders: RE2 to PCRE2 Migration

Dear Community,   In an effort to deliver a more consistent experience across Splunk Cloud Platform and its ...

Buttercup Games: Further Dashboarding Techniques (Part 4)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top