Solved: How to set up time_format in props.conf when only ...

jwalthour · ‎06-23-2016

Splunk is indexing a log file that has a format like this:

11:03:51.319 Notify Host: HOST_STATUS_UNKNOWN {279, bdl58056}

The events can also be multi-line. So, I set up the props.conf for this sourcetype like this:

SHOULD_LINEMERGE = true
TIME_PREFIX = \d{2}:\d{2}:\d{2}\.\d{3}\s
TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13
BREAK_ONLY_BEFORE_DATE = true

The timestamp doesn't seem to be getting picked up and assigned to _time correctly. How do I set up the event timestamp properly when the "timestamp" on the event is only the time (I can assume the date is the current date)?

woodcock · ‎06-23-2016

Change this line:

TIME_PREFIX = ^

View solution in original post

woodcock · ‎06-23-2016

Change this line:

TIME_PREFIX = ^

jwalthour · ‎06-24-2016

Thank you, woodcock!

How to set up time_format in props.conf when only have time

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to set up time_format in props.conf when only have time

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...