Re: Help with props.conf to detetct time and break...

power12 · ‎07-13-2022

I have the following sample data in a csv file.I am trying to import it but its unable to break the line and detect the timestamp.

Sample events

"Jun30.22.21.55, LVVL@abc.LOCAL, InOctets, 557766140, OutOctets, 3462815293, Total MB used, 502.572679125"

"Jun30.22.21.55, ALU@abc.LOCAL, InOctets, 4238119433, OutOctets, 3683403330, Total MB used, 990.190345375"

"Jun30.22.21.55, RXGH@abc.LOCAL, InOctets, 233853544, OutOctets, 485536206, Total MB used, 89.92371875"

ITWhisperer · ‎07-13-2022

Assuming your timestamp is the first field, try setting your TIME_FORMAT to %b%d.%y.%H.%M

Having said that, what do dates with single digit days look like e.g. Jul01.22 or Jul 1.22 or Jul1.22?

power12 · ‎07-13-2022

Jun30.22.21.55 ....here Jun30th is the date with year as present and 22.21.55 is the time ...with single date it will be Jun01

ITWhisperer · ‎07-13-2022

%b%d.%H.%M.%S

power12 · ‎07-13-2022

I tried using %b%d.%H.%M.%S in TIME_FORMAT but it did not recognize the time.I am attaching the screenshot of how it looks when uploaded through UI.

[ csv ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
TIME_FORMAT=%b%d.%H.%M.%S

ITWhisperer · ‎07-13-2022

Try including TIME_PREFIX = ^

power12 · ‎07-13-2022

I tried that no luck

Props.conf: How to detect time and break events?

props.conf

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!