Re: Custom timestamp parsing

the_sigma · ‎09-20-2023

I'm looking to use the following as my timestamp. What should I use in props as my timestamp format and timestamp prefix.
[20230718:001541.421] : [WARN ]

gcusello · ‎09-21-2023

Hi @the_sigma ,

if the timestamp it's at the beginning of the event, you could try:

TIME_PREFIX = ^\[
TIME_FORMAT = %Y%m%d:%H%M%S.%3N

If it isn't at the end of the event, please share some sample of your events, eventually masked, but with the same structure.

Ciao.

Giuseppe

the_sigma · ‎09-20-2023

I tried your string in the datapreview screen. I placed it in the timestamp format field. I used \d{8}\:\d{6}\.\d{3} as the prefix put I'm still getting timestamp=none

richgalloway · ‎09-20-2023

The prefix is the part that comes *before* the timestamp string and must not describe the timestamp string itself. The prefix for the sample event would be ^[

---
If this reply helps you, Karma would be appreciated.

the_sigma · ‎09-20-2023

I had already tried that as well but with no luck. It has to be something else that I missing. Thanks for replying though. If I figure it out, I'll post an update here.

richgalloway · ‎09-20-2023

Assuming that represents 18 July 23 00:15:41.421 then the format string would be %Y%m%d:%H%M%S.%3N

---
If this reply helps you, Karma would be appreciated.

How to do custom timestamp parsing?

props.conf

time

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?