i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the timeprefix and timeformat for below events.
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x8664 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05D00stp05a02
M pid 3019
M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sysadmext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapguidatatrace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling dbconnect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B readconinfo_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs
TIME_FORMAT = %a %b %d %H:%M:%S %Y TIME_PREFIX = ^M\s+ I don't know how you want to break your events though. Can u tell me the first/last line in an event??
Thanks sshelly for your command.
I have used above TIMEFORMAT and TIMEPREFIX, it is not working
Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.
B dbsync[dbsyexe]: wait=0, callno=14656, currentts=20171007133452, lastcounter=-2132741714
Try these props.conf settings:
TIME_FORMAT = %a %b %d %H:%M:%S %Y TIME_PREFIX = ^M\s+ LINE_BREAKER = ()trc file MAX_TIMESTAMP_LOOKAHEAD = 500
You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?