Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

props.conf TIME_FORMAT for middle of the line DATETIME

splunk_zen
Builder
‎12-17-2014 07:55 AM

I'm having trouble recognizing the timestamp for a logs with this structure,
(field timestamp appears = none in Splunk fields column)

DEBUG [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-3] 09 Dec 2014 22:00:03,760 (?:?) - Performing a clean update ...
DEBUG [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-3] 09 Dec 2014 22:00:03,761 (?:?) - Delete Query: delete bla_bla
 INFO [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-3] 09 Dec 2014 22:00:03,797 (?:?) - Records processed - total: 9, inserted: 9, skipped: 0
DEBUG [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-3] 09 Dec 2014 22:00:03,808 (?:?) -

My props.conf

[spring_output]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d %b %Y %H:%M:%S,%3N
# Breaking events on lines like:  "DEBUG [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker:3] 09 Dec 2014 22:00:03,949"
TIME_PREFIX = ^\s*([A-Z])\w+ \[.*]\s+
MAX_TIMESTAMP_LOOKAHEAD=1
TZ=EST
BREAK_ONLY_BEFORE=^FATAL|^DEBUG|^ERROR|^INFO|^TRACE|^WARN|^ WARN|^ INFO|^CRIT|^ CRIT
MAX_EVENTS = 99999
TRUNCATE = 0
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunk_zen
Builder
‎12-18-2014 03:31 AM

Really unsure why Splunk was choking on this but rebuilding it from anew has it now working as expected.


cat local/props.conf
[spring_output]
BREAK_ONLY_BEFORE = ^FATAL|^DEBUG|^ERROR|^INFO|^TRACE|^WARN|^ WARN|^ INFO|^CRIT|^ CRIT
MAX_TIMESTAMP_LOOKAHEAD = 1
NO_BINARY_CHECK = 1
TIME_FORMAT = %d %b %Y %H:%M:%S,%3N
TIME_PREFIX = ^\s*([A-Z])\w+ \[.*]\s+
TZ = EST
pulldown_type = 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunk_zen
Builder
‎12-18-2014 03:31 AM

Really unsure why Splunk was choking on this but rebuilding it from anew has it now working as expected.


cat local/props.conf
[spring_output]
BREAK_ONLY_BEFORE = ^FATAL|^DEBUG|^ERROR|^INFO|^TRACE|^WARN|^ WARN|^ INFO|^CRIT|^ CRIT
MAX_TIMESTAMP_LOOKAHEAD = 1
NO_BINARY_CHECK = 1
TIME_FORMAT = %d %b %Y %H:%M:%S,%3N
TIME_PREFIX = ^\s*([A-Z])\w+ \[.*]\s+
TZ = EST
pulldown_type = 1
0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎12-17-2014 08:14 AM

Thanks somesoni2,
could have omitted that as it's only meant to speed up the indexing after I get the timestamp recognition working.
Unfortunately removing it still results in Splunk recognising 0 timestamps.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-17-2014 08:06 AM

Just get rid of this

AX_TIMESTAMP_LOOKAHEAD=1

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...