Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why isn't the timestamp being recognized ?

ddrillic
Ultra Champion
‎09-30-2017 02:14 PM

We have a case that looks like this -

alt text

So, the events are not broken by the timestamp. Is it because of the underscore between the date and time?

Tags (1)
Preview file
16 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-02-2017 05:53 AM

Splunk has a number of built in time formats, I would recommend you manually parse your timestamps to improve indexing performance and ensure that you have the timestamps consistently recognised.

In this case in your props.conf

[replace_with_your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N

Also refer to configure timestamp recognition. I agree with skoelpin it's probably the _ throwing the default timestamp parsing off.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-02-2017 05:53 AM

Splunk has a number of built in time formats, I would recommend you manually parse your timestamps to improve indexing performance and ensure that you have the timestamps consistently recognised.

In this case in your props.conf

[replace_with_your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N

Also refer to configure timestamp recognition. I agree with skoelpin it's probably the _ throwing the default timestamp parsing off.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎10-04-2017 10:13 AM

Btw, this by itself did it ; -) with no line breaking

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎10-02-2017 06:29 AM

Gorgeous - thank you @garethatiagg

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-02-2017 06:34 AM

Remember that this is a start and you should apply line breaking to your props.conf aswell.. This will take some load off your indexers

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-02-2017 06:53 AM

The documentation also covers line breaking

This is a slightly more advanced topic but potentially worth discussing here, the default for the MAX_EVENTS in props.conf is 256 lines at the time of writing, if you always have single line events you could switch SHOULD_LINEMERGE=false on and never line merge (this entry would go in the props.conf)

Alternatively if you have very large events (>1000 lines) you could make a more complicated LINE_BREAKER setting and change SHOULD_LINEMERGE to false such as:

[replace_with_your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}_\d

Of course the above would require testing, and it would only make sense if you have larger multi-line events (I've used examples like the above for events >1000 lines), doing this can remove pressure from the aggregation queue as the merging will move to the parsing queue...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎09-30-2017 02:30 PM

Most likely the underscores are throwing it off. What's your props.conf look like?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...