Getting Data In

Timestamp from file with no year

billysmusic
Explorer

I have a time-stamp in format Wed Jan 25 16:36:02 EST. I can't get Splunk to match it.
I tried modifying the props.conf:
[host::rok*]
TIME_PREFIX = dst
TIME_FORMAT = %a %b %d %H:%M:%S %Z

But it doesn't recognize the pattern. Am I missing something?
Full-event line:
dst Thu Jan 26 07:45:12 EST 10.10.1.2:vmwsspapp02_prd_data01 rok:vmwsspapp02_prd_data01 Start

Thanks!

Tags (2)

walterleunghk
Explorer

If the log is not too old, i think below should work.

MAX_DAYS_AGO = 100

TIME_FORMAT = %a %b %d %H:%M:%S %Z

TIME_PREFIX = ^dst\s+

hexx
Splunk Employee
Splunk Employee

Thank you for providing a sample event.

Splunk should be able to interpret the time stamp on its own, but I would strongly recommend that you use TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction to the location in your events where it can be found :

[host::rok*]
TIME_PREFIX = ^dst
MAX_TIMESTAMP_LOOKAHEAD = 24

This is very important because you do not want Splunk to pick up a string that may look like a year somewhere else in the event, which may result in a wrong time stamp.

TIME_FORMAT is optional here, but you can specify it if desired to speed up the time stamp extraction process.

Make sure to refer to props.conf.spec for a full description of these configuration keys.

UPDATE: Since you seem to have line-breaking issues, I would suggest that you add the following configuration keys to explicitly declare how your source file should be split into events:

LINE_BREAKER = ([\r\n]+)dst\s+
SHOULD_LINEMERGE = false

This is assuming that all of your events begin with the string "dst ", and that no line that is not an event begins with that string.

0 Karma

hexx
Splunk Employee
Splunk Employee

That means that you have an issue with line-breaking, which has to be addressed with different parameters. I'll update my answer.

billysmusic
Explorer

Thanks for the suggestion. I just tried both of those and left out the TIME_FORMAT with no luck. It still sees the entire log as one event. I've also messed around with every setting I can think of in the "Data Preview" section when adding the source but cannot get it to recognize each individual line.

0 Karma

billysmusic
Explorer

Sure, here is a full line of an event:
dst Thu Jan 26 07:45:12 EST 10.10.1.2:vmwsspapp02_prd_data01 rok:vmwsspapp02_prd_data01 Start

0 Karma

hexx
Splunk Employee
Splunk Employee

I agree with @gkanapathy, we cannot really recommend a configuration without a sample event to base it on.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

why do you have TIME_PREFIX = dst? What does the actual event line look like? Does it actually contain that string immediately before the timestamp?

sbrant_tt
Explorer

You appear to be missing the year match in your conf file. The pattern to match your time-stamp should be:

%a %b %d %Y %H:%M:%S %Z
0 Karma

billysmusic
Explorer

Oops, I accidentally put the year in source format. It is actually not there. I updated my question with the correct format. Thank you for responding though.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...