Solved: order of parsing: sedcmd and time_prefix

tfechner · ‎03-20-2020

Hi,

we have a syslog message like:
Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage

with a sedcmd I can remove the first part until the year.
Then I have:
2020-20-03 16:27:02,486 hostname messsage

If there is another timestring in the message I have to us TIME_RPEFIX in props.conf.
What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex?

What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event?

Torsten

richgalloway · ‎03-20-2020

SEDCMD comes after TIME_PREFIX. See https://www.aplura.com/assets/pdf/props_conf_order.pdf

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway · ‎03-20-2020

SEDCMD comes after TIME_PREFIX. See https://www.aplura.com/assets/pdf/props_conf_order.pdf

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

tfechner · ‎03-20-2020

so first is: line_breaker,
then time_prefix and time string
then I strip with sedcmd

when will the event merged together in case of multiline events?

richgalloway · ‎03-20-2020

That happens in the Aggregation Queue (before SEDCMD).

---
If this reply helps you, an upvote would be appreciated.

order of parsing: sedcmd and time_prefix

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >