Re: need help in writing time prefix and time form...

saifuddin9122 · ‎05-23-2017

Hello All

i have events like this:

hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000**2017MAY22*09:40:13*
Is PMD Using All CPU cores: Yes
hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000*2017MAY22*09:40:13
Is PMD Using All CPU cores: Yes

Can any one help me in writing time prefix and time format for the above events.

Thanks in advance

woodcock · ‎05-23-2017

Like this in props.conf:

TIME_PREFIX = ([^\|]*\|){3}(\D+\d+){3}\D+
TIME_FORMAT = %Y%B%d*%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 18

Deploy to your Indexers, restart all Splunk instances there and then verify by checking ONLY events that have been forwarded after the restarts.

skoelpin · ‎05-23-2017

Try this

TIME_FORMAT = %Y%B%d*%I:%M:%S
TIME_PREFIX = \d{4}\w+\d{2}\*\d{2}:\d{2}:\d{2}

saifuddin9122 · ‎05-23-2017

sorry it didn't worked

skoelpin · ‎05-23-2017

Which part didn't work and how are you testing this?

saifuddin9122 · ‎05-23-2017

TIME_PREFIX = \d{4}\w+\d{2}*\d{2}:\d{2}:\d{2}

i'm testing it from add data inputs, when i do it i am seeing timestamp as none

FloSwiip · ‎05-23-2017

TIME_FORMAT=%Y%B%d*%I:%M:%S
TIME_PREFIX=.*licensekey\.cpp\*\d+\*\d+\*
MAX_TIMESTAMP_LOOKAHEAD=128

works on this sample

need help in writing time prefix and time format

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation