Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the timestamp configuration on below event types.

lksridhar
Explorer
‎12-12-2017 05:27 AM

Hi Folks,

i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the time_prefix and time_format for below events.

trc file: "dev_w0", trc level: 1, release: "742"

*
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
*
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x86_64 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05_D00_stp05a02
M pid 3019
M
M

M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys_adm_ext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui_data_trace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M

M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db_connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B read_con_info_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2017 06:57 AM

Try these props.conf settings:

TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+
LINE_BREAKER = ()trc file
MAX_TIMESTAMP_LOOKAHEAD = 500
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lksridhar
Explorer
‎12-15-2017 02:34 AM

I have tried above command it is not working and struggling to configure the time stamp configuration,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2017 10:50 AM

You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sshelly_splunk
Splunk Employee
Splunk Employee
‎12-12-2017 08:58 AM 
TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+

I don't know how you want to break your events though. Can u tell me the first/last line in an event??
0 Karma
Reply

lksridhar
Explorer
‎12-13-2017 03:03 AM

Thanks sshelly for your command.

I have used above TIME_FORMAT and TIME_PREFIX, it is not working

Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.

trc file: "dev_w0", trc level: 1, release: "742"

B dbsync[db_syexe]: wait=0, call_no=14656, current_ts=20171007133452, last_counter=-2132741714

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...