Getting Data In
Highlighted

How to configure the timestamp configuration on below event types.

Explorer

Hi Folks,

i have events on below format which does not have time stamp on first 20 lines and i tried to create the configuration but it not succeed. could you please help me to create the timeprefix and timeformat for below events.


trc file: "dev_w0", trc level: 1, release: "742"

*
* ACTIVE TRACE LEVEL 1
* ACTIVE TRACE COMPONENTS all, MJ
*
M sysno 00
M sid P05
M systemid 390 (AMD/Intel x8664 with Linux)
M relno 7420
M patchlevel 0
M patchno 439
M intno 20020600
M make multithreaded, Unicode, 64 bit, optimized
M profile /usr/sap/P05/SYS/profile/P05
D00stp05a02
M pid 3019
M
M

M Sun Sep 17 10:40:23 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)
M length of sys
admext is 500 bytes
M ThStart: taskhandler started
M ThInit: initializing DIA work process W0
X MMX: use precise segment size globally
M ThStopHeapLockChecker: stop heap lock checker
M rdisp/sapgui
datatrace : 1 -> 1
M ***LOG Q01=> ThInit, WPStart (Workp. 0 1 3019) [thxxhead.c 1052]
M

M Sun Sep 17 10:40:28 2017
M ThInit: running on host stp05a02
I MtxInit: 0 0 0
M calling db
connect ...
B Loading DB library '/usr/sap/P05/D00/exe/dboraslib.so' ...
B Library '/usr/sap/P05/D00/exe/dboraslib.so' loaded
B Version of '/usr/sap/P05/D00/exe/dboraslib.so' is "742.06", patchlevel (0.431)
B readconinfo_ssfs(): DBSL supports extended connect protocol
B ==> connect info for default DB will be read from ssfs

Tags (1)
0 Karma
Highlighted

Re: How to configure the timestamp configuration on below event types.

Splunk Employee
Splunk Employee
TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+

I don't know how you want to break your events though. Can u tell me the first/last line in an event??
0 Karma
Highlighted

Re: How to configure the timestamp configuration on below event types.

Explorer

Thanks sshelly for your command.

I have used above TIMEFORMAT and TIMEPREFIX, it is not working

Please find the first line and last line of the events. Please check and provide solution as we have lot of with below format.


trc file: "dev_w0", trc level: 1, release: "742"

B dbsync[dbsyexe]: wait=0, callno=14656, currentts=20171007133452, lastcounter=-2132741714

0 Karma
Highlighted

Re: How to configure the timestamp configuration on below event types.

SplunkTrust
SplunkTrust

Try these props.conf settings:

TIME_FORMAT = %a %b %d %H:%M:%S %Y
TIME_PREFIX = ^M\s+
LINE_BREAKER = ()trc file
MAX_TIMESTAMP_LOOKAHEAD = 500
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to configure the timestamp configuration on below event types.

Explorer

I have tried above command it is not working and struggling to configure the time stamp configuration,

0 Karma
Highlighted

Re: How to configure the timestamp configuration on below event types.

SplunkTrust
SplunkTrust

You are restarting Splunk after making props.conf changes, right? Also, the changes only apply to newly-indexed events.
What struggles are you having with the timestamp configuration?

---
If this reply helps you, an upvote would be appreciated.
0 Karma