Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- help with time_prefix
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm using data preview to test some new feeds, and while the event breaking is fine, I'm getting a warning message about needing TIME_PREFIX, and the time isn't parsing properly.
My props.conf config is:
ANNOTATE_PUNCT = false
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y/%m/%d %H:%M:%S
TIME_PREFIX = |
TRUNCATE = 999999
Here's some sample data. How would I configure the TIME_PREFIX in this situation?
STATUS | wrapper | 2014/04/15 11:26:49 | --> Wrapper Started as Service
STATUS | wrapper | 2014/04/15 11:26:49 | Java Service Wrapper Professional Edition 64-bit 3.4.0
STATUS | wrapper | 2014/04/15 11:26:49 | Copyright (C) 1999-2010 Tanuki Software, Ltd. All Rights Reserved.
STATUS | wrapper | 2014/04/15 11:26:49 | http://wrapper.tanukisoftware.org
STATUS | wrapper | 2014/04/15 11:26:49 | Licensed to VMware Global, Inc. for VMware vCenter Inventory Service
STATUS | wrapper | 2014/04/15 11:26:49 |
STATUS | wrapper | 2014/04/15 11:26:49 | Launching a JVM...
INFO | jvm 1 | 2014/04/15 11:26:49 | WrapperManager: Initializing...
INFO | jvm 1 | 2014/04/15 11:26:59 | Apr 15, 2014 11:26:59 AM org.apache.catalina.core.AprLifecycleListener init
INFO | jvm 1 | 2014/04/15 11:26:59 | INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on
the java.library.path: ../lib;../../bin
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10080"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10443"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardService startInternal
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Starting service Tomcat
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardEngine startInternal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_PREFIX = ([^|]+\|){2}
Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:
TIME_PREFIX = [^|]+\|[^|]+\|
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_PREFIX = ([^|]+\|){2}
Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:
TIME_PREFIX = [^|]+\|[^|]+\|
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
was the sourcetype is tomcat:runtime:log? or is it different? please let me know how you managed the sourcetype
Splunk Observability as Code: From Zero to Dashboard
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Shape the Future of Splunk: Join the Product Research Lab!
