Getting Data In

I would like to get some help to process the following timestamp, included in the example, please:

fvasquezchacon
Path Finder

The following is one event of the data:

MACUL     DIRP101 JUL14 00:00:00 5577 INFO DIRP_FLOW_LOG REASON= 15 SSYS#= 2   
           SSNAME= OM   POOL#= 4 VOLUME#= 68 SOS_FILE_ID= 2949 0005 003C   
           TEXT1= SCHEDULED OG ROTATE COMPLETED, RECORDS: 46628    PARM1= 1978   
           TEXT2= VOL: D050OM3, FILE: A140913000088OM, ROTATE:     PARM2= 2A67

I tried using timestamps tab when indexing the data, with not succesful results. I think I have been doing something wrong.

Thanks in advanced!

Tags (1)
0 Karma
1 Solution

fvasquezchacon
Path Finder

Sorry, but I don't know why the backslash symbol does not appear in my post. For the location pattern, the correct stanza is:

Location: Timestamp is always prefaced by pattern: MACUL(backslash)s+(backslash)S+(backslash)s

View solution in original post

0 Karma

fvasquezchacon
Path Finder

Sorry, but I don't know why the backslash symbol does not appear in my post. For the location pattern, the correct stanza is:

Location: Timestamp is always prefaced by pattern: MACUL(backslash)s+(backslash)S+(backslash)s

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Backslash is the escape character. To insert a backslash you can either use two backslashes or enclose your text in backtics (`).

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try adding the following to the appropriate stanza of your props.conf file.

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = MACUL
TIME_FORMAT = %b%d %H:%M:%S
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm glad you got it working. Please accept the answer to help others in future.

---
If this reply helps you, Karma would be appreciated.
0 Karma

fvasquezchacon
Path Finder

Hi!

Thanks for your help. It was very usefull in order to solve this issue.

As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:

Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s

Format: Timestamp format (strptime): %b%d %H:%M:%S

On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.,Hi!

Thanks for your help. It was very usefull in order to solve this issue.

As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:

Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s

Format: Timestamp format (strptime): %b%d %H:%M:%S

On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You may need to add a TZ statement to your props file, but your problem appears to be more than that. I wonder if Splunk has a bug processing the %b format string if it is not delimited.

---
If this reply helps you, Karma would be appreciated.
0 Karma

fvasquezchacon
Path Finder

Thanks for the answer, but unfortunately it seems not to be working as expected.

I click on the advanced mode (props.conf) tab and paste the stanza recieved. Bellow there is the result given for the timestamp:

9/25/01 4:51:20.000 PM

Did I do it correctly? I have read about editing the props.conf, but I haven't worked with this yet. I would apreciate you could tell me if I'm doing OK please.

Thanks!

0 Karma

fvasquezchacon
Path Finder

Hi!

Thanks for the quick answer.

In relation to your questions, the time stamp is: "JUL14 00:00:00".

In fact, the event is multiline. They do not have the same format and line length (unfortunately). They do begin with the word "MACUL" in this log, but the following strings can vary.

The timestamp represents 14th July of the current year.

In addition, this logs come from a Huawei Softx300 softswitch.

Thanks a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is 'JUL14 00:00:00' the timestamp field? If so, does it represent 14th July of the current year or something else?

---
If this reply helps you, Karma would be appreciated.
0 Karma

felipetesta
Path Finder

Hello. Can you tell us exactly which is the timestamp in the example? Is the event multiline exactly as shown? Do your events look all the same? (Same format, same line length, same begin string, ...)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...