Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Time format having pipe "|"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
I am having trouble recognizing time format of %Y%m%d|%H%M%S (e.g. |20130813|235858 )
I have tried using the following settings in props.conf
TIME_PREFIX = \|
TIME_FORMAT = %Y%m%d\|%H%M%S
and
TIME_PREFIX = \|
TIME_FORMAT = %Y%m%d|%H%M%S
both not working.
Can anyone help me out here please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The docs on TIME_PREFIX can give some explanation;
TIME_PREFIX = <regular expression> in the text following the end of the
* If set, splunk scans the event text for a match for this regex in event text before attempting
to extract a timestamp.
* The timestamping algorithm only looks for a timestamp
first regex match..
* For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the
text abc123 will be used for timestamp extraction
Perhaps something like this could work;
TIME_PREFIX = \|(?=\d{8})
Haven't tried it in Splunk, but it works in the excellent online regex tester found at
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The docs on TIME_PREFIX can give some explanation;
TIME_PREFIX = <regular expression> in the text following the end of the
* If set, splunk scans the event text for a match for this regex in event text before attempting
to extract a timestamp.
* The timestamping algorithm only looks for a timestamp
first regex match..
* For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the
text abc123 will be used for timestamp extraction
Perhaps something like this could work;
TIME_PREFIX = \|(?=\d{8})
Haven't tried it in Splunk, but it works in the excellent online regex tester found at
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes working very well.
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d|%H%M%S
TIME_PREFIX=\|(?=\d{8})
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for looking into this
Below are some events
|CALLCONTROL|VMSIVR2|107|20130814|130224|130230|I
|CALLCONTROL|VMSIVR2|183|20130814|130224|130230|I
|CALLCONTROL|VMSIVR2|99|20130814|130124|130230|I
|PROVI|APS2|20130814|130240|
|PROVI|APS2|20130814|130253|
|SMSC|VMSIVR2||20130814|125501|
|SMSC|VMSIVR2||20130814|125511
|20130814|125959|202|12342|
|20130814|134950|203|12451|
Please note that the timestamp is moving here and there since this log is getting combined from various sources.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are there any other pipes before the one preceding the timestamp? Please post a few sample events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the log starts with the time field? Could you paste a little more of the log?
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!
