how do i get splunk to recognise timestamp of my l...

deepthi5 · ‎09-22-2016

I have a time stamp logged into my my SNMP log like the below

[6844 0502 083830508 SNMP] BAXSnmpSTTWorker::HandleSystemOperatorEvent(), Entering supervisor (\SNMP\STT) // BAXS04202.CPP(164)

[6844 0502 083830508 SNMP]-->In this 0502 is my Month and date followed by 08:HH 38:MM 30:SS 508 :ms how do i tell splunk to understand this as timestamp while indexing my log into SPLUNK

Thanks
Deepthi

inventsekar · ‎09-22-2016

please try this stanza in props.conf:

[host::hostname]
    TIME_PREFIX = \[d{4}
    TIME_FORMAT = %m%d %H%M%S%Q

Best Regards,
Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

deepthi5 · ‎09-22-2016

I have tried the same in props.conf but using [sourcetype] but was not successful

inventsekar · ‎09-22-2016

Hi Deepthi, may i know your props.conf please. are you using line_breaks and other things?!?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

somesoni2 · ‎09-22-2016

And if the props.conf was setup on Indexer/Heavy Forwarder and was restarted after making the change? Also, it'll only work for any new data that'll come after you made the change.

how do i get splunk to recognise timestamp of my log

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience