- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Timestamp lookahead questions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have the following configuration:
timestamp format : %c
timestamp prefix: Start\sTime:\s+
lookahead: ???
I want a configuration that will look for the timestamp through the entire event regardless of the size of the event. Is there any value that can be setup to lookahead for this configuration? If I setup lookahead to 100000 and the timestamp is after the 100 character, Would Splunk go through the entire event even though it find the timestamp during the first 100 characters?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use TIME_PREFIX, the nature of MAX_TIMESTAMP_LOOKAHEAD changes: instead of counting from the beginning of the raw event text, it will count from the position AFTER the TIME_PREFIX. So by using TIME_PREFIX, you pretty much guarantee that Splunk will find your timestamp and not give up, provided you have a good RegEx for TIME_PREFIX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi edrivera1,
to answer your questions:
Is there any value that can be setup to lookahead for this configuration?
You can set MAX_TIMESTAMP_LOOKAHEAD=0 or MAX_TIMESTAMP_LOOKAHEAD=-1 http://docs.splunk.com/Documentation/Splunk/6.3.0/admin/Propsconf to disable the length constraint for timestamp recognition.
If I setup lookahead to 100000 and the timestamp is after the 100 character, Would Splunk go through the entire event even though it find the timestamp during the first 100 characters?
No, your just telling Splunk how far to look at max into the event. If the timestamp is found before MAX_TIMESTAMP_LOOKAHEAD is reached Splunk will use this timestamp.
BTW if the timestamp is not found within MAX_TIMESTAMP_LOOKAHEAD Splunk will use other steps and try to find a timestamp. See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/HowSplunkextractstimestamps
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see the defintion of the MAX_TIMESTAMP_LOOKAHEAD from Splunk Docs (http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition ), its says, this defines how far splunk will go to locate the full timestamp and it starts from location of the TIME_PREFIX. So if you've a proper prefix, you don't have to worry about Splunk scanning whole event. Splunk will first find the TIME_PREFIX and search through number of character specified in MAX_TIMESTAMP_LOOKAHEAD, which should be length of the timestamp value, (for %c I think its 24 char so keeping it 25 OR 30 should work just fine)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use TIME_PREFIX, the nature of MAX_TIMESTAMP_LOOKAHEAD changes: instead of counting from the beginning of the raw event text, it will count from the position AFTER the TIME_PREFIX. So by using TIME_PREFIX, you pretty much guarantee that Splunk will find your timestamp and not give up, provided you have a good RegEx for TIME_PREFIX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
