Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do i get splunk to recognise timestamp of my log

deepthi5
Path Finder
‎09-22-2016 02:44 AM

I have a time stamp logged into my my SNMP log like the below

[6844 0502 083830508 SNMP] BAXSnmpSTTWorker::HandleSystemOperatorEvent(), Entering supervisor (\SNMP\STT) // BAXS04202.CPP(164)

[6844 0502 083830508 SNMP]-->In this 0502 is my Month and date followed by 08:HH 38:MM 30:SS 508 :ms how do i tell splunk to understand this as timestamp while indexing my log into SPLUNK

Thanks
Deepthi

Tags (2)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-22-2016 03:05 AM

please try this stanza in props.conf:

[host::hostname]
    TIME_PREFIX = \[d{4}
    TIME_FORMAT = %m%d %H%M%S%Q

Best Regards,
Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

deepthi5
Path Finder
‎09-22-2016 03:55 AM

I have tried the same in props.conf but using [sourcetype] but was not successful

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-22-2016 04:58 AM

Hi Deepthi, may i know your props.conf please. are you using line_breaks and other things?!?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

somesoni2
Revered Legend
‎09-22-2016 10:11 AM

And if the props.conf was setup on Indexer/Heavy Forwarder and was restarted after making the change? Also, it'll only work for any new data that'll come after you made the change.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...