Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What values to be updated in the props conf file ?

ethanthomas
Path Finder
‎03-22-2021 03:48 PM

My logfile is like below,

"timestamp": "2021-03-22 22:37:35". 

Can someone tell me how to edit the props file correctly ? My current props file doesent have the time parameters listed .

DATETIME_CONFIG =

KV_MODE =json

# INDEXED EXTRACTIONS =json

NO_BINAY_CHECK= true

Appreciate the help on this  . Shoud I give TIME_PREFIX= timestamp ? What else parameters required ?

Labels (1)
Labels
Tags (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎03-22-2021 08:21 PM

Hi @ethanthomas 

props.conf can be deployed on Splunk UF, HF , SH and indexer.  What you are referring to seems to be closed to parsing layer which can be either deployed on HF or indexer as timestamp extraction only happens there and get assigned to _time when you search events in SH.

Assuming you are going to use the props conf during parsing,

[your_sourcetype_name]
TIME_PREFIX=\"timestamp\":\s+\"
TIME_FORMAT=%Y-%m-%d %H:%M:%S

NOTE: There are additional fields can be used together depends on data, KV_MODE  works on SH, INDEXED_EXTRACTIONS works on UF.

You can refer - Configure timestamp recognition - Splunk Documentation

props.conf - props.conf - Splunk Documentation

TIME_FORMAT - Date and time format variables - Splunk Documentation

---------------------------------------------------

An upvote would be appreciated if it helps!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...