Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: props.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
can anyone help us to figure out magic six for the below sample log?
SHOULD_LINEMERGE=
LINE_BREAKER=
MAX_TIMESTAMP_LOOKAHEAD=
TIME_PREFIX=
TRUNCATE=
TIME_FORMAT=
VersionNumber=7.2 build 13. Maint HF-005,Priority=N/A,LocalTranNumber=I32790D942,RemoteTranNumber=N/A,TransferStartTime=003940,TransferStartDate=20190327,
Thanks in Advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @EHariharan ,
The answer provided by @ragedsparrow is how you should approach data onboarding. However, if you're the one tasked with owning the data, and you're just given some events you might try these values:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = TransferStartTime=
TIME_FORMAT = %H%M%S,TransferStartDate=%Y%m%d
TRUNCATE = 10000
MAX_TIMESTAMP_LOOKAHEAD = 40
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @EHariharan ,
The answer provided by @ragedsparrow is how you should approach data onboarding. However, if you're the one tasked with owning the data, and you're just given some events you might try these values:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = TransferStartTime=
TIME_FORMAT = %H%M%S,TransferStartDate=%Y%m%d
TRUNCATE = 10000
MAX_TIMESTAMP_LOOKAHEAD = 40
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, jnudell_2. It worked
Also, I would like to thank ragedsparrow and FrankVl .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "magic six" are usually defined by you or whomever knows the data. Essentially, you are telling Splunk where to break the events and how to identify the timestamps for indexing.
I suggest you do this;
- Identify what constitutes a new event.
- Identify what the timestamp for the event is in the event.
Just looking at that event, the TIME_FORMAT might look like this:
TIME_PREFIX = TransferStartTime=
TIME_FORMAT = %H%M%S,TransferStartDate=%Y%m%d
You may not HAVE to use everything form the Magic 6, but you should try to if you can.
What I usually do is bring in sample data into a standalone instance (usually running on my laptop) and use the "Add Data" ability to bring in the data and test out props before I deploy them out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd move TransferStartTime= to the TIME_PREFIX setting, other than that I had the same suggestion in mind 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that is much better. Modified my answer to reflect that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What have you tried so far and what problems are you running into? This is a platform for asking questions, not for asking other people to do your job for you 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
