Re: What is the proper use of props.conf for times...

dhtran · ‎04-09-2020

Hello,

I have the following data in plain text format that contains several datetime values, it looks like this :

XXXXXXXX201710101005582018101010055820191010100558

20171010100558 = date1
20181010100558 = date2
20191010100558 = date3

I have successfully configured props.conf to extract event timestamp from the first occurence (date1), using the following config :
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 22
TIME_PREFIX = .{8}

Now, things got complicated because date2 and date3 could be null, either 1 of the two, or both.

How can I configure properly props.conf, to handle the following rule :
- looks for date2 first, if exists, use it as event timestamp
- if date2 is null, looks for date3, if exists, use it as event timestamp
- if date2 and date3 are null, use date1 as event timestamp

Thanks in advance for your help.

DalJeanis · ‎04-10-2020

Please generate an example of each of the cases. We need to understand what you mean by "null" - are they spaces, or something else?

dhtran · ‎04-11-2020

by null I meant blank spaces
XXXXXXXX201710101005582018101010055820191010100558
XXXXXXXX20171010100558{14_spaces}20191010100558
XXXXXXXX2017101010055820181010100558{14_spaces}
XXXXXXXX20171010100558{14_spaces}{14_spaces}

What is the proper use of props.conf for timestamp conditional mapping

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

What is the proper use of props.conf for timestamp conditional mapping

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming