Solved: order of parsing: sedcmd and time_prefix

tfechner · ‎03-20-2020

Hi,

we have a syslog message like:
Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage

with a sedcmd I can remove the first part until the year.
Then I have:
2020-20-03 16:27:02,486 hostname messsage

If there is another timestring in the message I have to us TIME_RPEFIX in props.conf.
What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex?

What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event?

Torsten

richgalloway · ‎03-20-2020

SEDCMD comes after TIME_PREFIX. See https://www.aplura.com/assets/pdf/props_conf_order.pdf

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-20-2020

SEDCMD comes after TIME_PREFIX. See https://www.aplura.com/assets/pdf/props_conf_order.pdf

---
If this reply helps you, Karma would be appreciated.

tfechner · ‎03-20-2020

so first is: line_breaker,
then time_prefix and time string
then I strip with sedcmd

when will the event merged together in case of multiline events?

richgalloway · ‎03-20-2020

That happens in the Aggregation Queue (before SEDCMD).

---
If this reply helps you, Karma would be appreciated.

order of parsing: sedcmd and time_prefix

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk