Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- help with time_prefix
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm using data preview to test some new feeds, and while the event breaking is fine, I'm getting a warning message about needing TIME_PREFIX, and the time isn't parsing properly.
My props.conf config is:
ANNOTATE_PUNCT = false
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y/%m/%d %H:%M:%S
TIME_PREFIX = |
TRUNCATE = 999999
Here's some sample data. How would I configure the TIME_PREFIX in this situation?
STATUS | wrapper | 2014/04/15 11:26:49 | --> Wrapper Started as Service
STATUS | wrapper | 2014/04/15 11:26:49 | Java Service Wrapper Professional Edition 64-bit 3.4.0
STATUS | wrapper | 2014/04/15 11:26:49 | Copyright (C) 1999-2010 Tanuki Software, Ltd. All Rights Reserved.
STATUS | wrapper | 2014/04/15 11:26:49 | http://wrapper.tanukisoftware.org
STATUS | wrapper | 2014/04/15 11:26:49 | Licensed to VMware Global, Inc. for VMware vCenter Inventory Service
STATUS | wrapper | 2014/04/15 11:26:49 |
STATUS | wrapper | 2014/04/15 11:26:49 | Launching a JVM...
INFO | jvm 1 | 2014/04/15 11:26:49 | WrapperManager: Initializing...
INFO | jvm 1 | 2014/04/15 11:26:59 | Apr 15, 2014 11:26:59 AM org.apache.catalina.core.AprLifecycleListener init
INFO | jvm 1 | 2014/04/15 11:26:59 | INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on
the java.library.path: ../lib;../../bin
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10080"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:26:59 AM org.apache.coyote.AbstractProtocol init
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-10443"]
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardService startInternal
INFO | jvm 1 | 2014/04/15 11:27:00 | INFO: Starting service Tomcat
INFO | jvm 1 | 2014/04/15 11:27:00 | Apr 15, 2014 11:27:00 AM org.apache.catalina.core.StandardEngine startInternal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_PREFIX = ([^|]+\|){2}
Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:
TIME_PREFIX = [^|]+\|[^|]+\|
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_PREFIX = ([^|]+\|){2}
Should do it. One or more non-pipe characters followed by a pipe, repeated twice. Can also be written:
TIME_PREFIX = [^|]+\|[^|]+\|
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
was the sourcetype is tomcat:runtime:log? or is it different? please let me know how you managed the sourcetype
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
