Solved: Properly Extract Time from custom Data Set

hagjos43 · ‎10-01-2015

Hello, I have the follow data set comprised of custom weblog output:

2015-08-08 12:40:03:163 UserID="37" userGroup="helloworld1192" userRole="test82" commonName="insertnamehereagainandagain" certName="HENRY.T.WASHINGTON" ipAddress="192.168.1.83" userBrowser="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

I have the following in my Props.conf on the indexer:

[customwebtest]
LINE_BREAKER = (\d{4}\S\d{2}\S\d{2}\s\d{2}\S\d{2}\S\d{2}\S\d{3})
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
MAX_TIMESTAMP_LOOKAHEAD = 23
TIME_PREFIX = ^
TIME_FORMAT = (%y-%m-%d %H:%M:%S:%3N)

Problem is in Splunk it's excluding the event timestamp and using the time at ingestion. What am I doing wrong here?

Thanks!

schose · ‎10-01-2015

Remove your LINE_BREAKER and you should be fine.

Cheers,

Andreas

View solution in original post

schose · ‎10-01-2015

Remove your LINE_BREAKER and you should be fine.

Cheers,

Andreas

richgalloway · ‎10-01-2015

The value of the LINE_BREAKER attribute is the event separator - characters that come between events. Whatever matches the first capturing group is discarded. If your log has one event per line then the default LINE_BREAKER=\n should be sufficient.

---
If this reply helps you, Karma would be appreciated.

pradeepkumarg · ‎10-01-2015

Your time format is wrong. It should be uppercase Y for the year if it includes centuary

 TIME_FORMAT = %Y-%m-%d %H:%M:%S:%3N

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Commontimeformatvariables

Properly Extract Time from custom Data Set

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!