Re: Need assistance to write the props

jackin · ‎03-13-2023

Hi

I want to write the props for below logs.

Actually the logs are coming with no timestamp and the file name having the timestamp.

These are the logs:

Message Is: https POST failed: . Status Is: Ok

Message Is: https POST successful: 200. Status Is: Ok

Changed .Pac File to http://liteway.prog2.com/proxyins/proxy_client.oac

Unable to change .Pac File to http://liteway.prog2.com/proxyins/proxy_client.oac

File name coming like

zscalerhttp_2023-01-09-18-03-25

Can anyone help to write the props for this logs..

jackin · ‎03-13-2023

Yes @PickleRick

PickleRick · ‎03-13-2023

OK. There is no setting that would allow you to extract timestamp from filename or path directly. The only way I see is to use a INGEST_EVAL functionality. See https://conf.splunk.com/files/2020/slides/PLA1154C.pdf (slide 28 onwards)

PickleRick · ‎03-13-2023

Let me get this straight - you have a separate file per each event?

jackin · ‎03-13-2023

Yes @PickleRick

Timestamp parsing from filename

administration

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation