need help in writing time prefix and time format

saifuddin9122 · ‎05-23-2017

Hello All

i have events like this:

hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000**2017MAY22*09:40:13*
Is PMD Using All CPU cores: Yes
hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000*2017MAY22*09:40:13
Is PMD Using All CPU cores: Yes

Can any one help me in writing time prefix and time format for the above events.

Thanks in advance

woodcock · ‎05-23-2017

Like this in props.conf:

TIME_PREFIX = ([^\|]*\|){3}(\D+\d+){3}\D+
TIME_FORMAT = %Y%B%d*%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 18

Deploy to your Indexers, restart all Splunk instances there and then verify by checking ONLY events that have been forwarded after the restarts.

skoelpin · ‎05-23-2017

Try this

TIME_FORMAT = %Y%B%d*%I:%M:%S
TIME_PREFIX = \d{4}\w+\d{2}\*\d{2}:\d{2}:\d{2}

saifuddin9122 · ‎05-23-2017

sorry it didn't worked

skoelpin · ‎05-23-2017

Which part didn't work and how are you testing this?

saifuddin9122 · ‎05-23-2017

TIME_PREFIX = \d{4}\w+\d{2}*\d{2}:\d{2}:\d{2}

i'm testing it from add data inputs, when i do it i am seeing timestamp as none

FloSwiip · ‎05-23-2017

TIME_FORMAT=%Y%B%d*%I:%M:%S
TIME_PREFIX=.*licensekey\.cpp\*\d+\*\d+\*
MAX_TIMESTAMP_LOOKAHEAD=128

works on this sample

need help in writing time prefix and time format

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability