Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

time prefix match only part of the events

sarit_s
Communicator
‎03-27-2019 02:25 AM

hello,
i have this configuration in my props.conf file:
[f170_system]
BREAK_ONLY_BEFORE = ^\w\s\d+\s\d{2}:\d{2}:\d{2}
DATETIME_CONFIG =
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
category = Custom
pulldown_type = true

and i have events from two types:

Nov 11 21:43:17 : Info:copyconfig

Sep 20 23:29:54 manager:

for those who has ":" after timestamp the timestamp is incorrect so for example, splunk shows 6.2.2019 while in the event is 11.11.18

for those who has "manager:" after timestamp everything is ok.

any idea why ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-27-2019 02:42 AM

Looks ok to me, but you could try reducing the Timestamp lookahead to 15
I'd also # out or remove the DATETIME_CONFIG line
Is there any reason why you are using BREAK_ONLY_BEFORE as opposed to LINE_BREAKER?

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-27-2019 02:42 AM

Looks ok to me, but you could try reducing the Timestamp lookahead to 15
I'd also # out or remove the DATETIME_CONFIG line
Is there any reason why you are using BREAK_ONLY_BEFORE as opposed to LINE_BREAKER?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎03-27-2019 02:55 AM

fixed ! thanks ! can you add it as an answer so i will be able to approve 🙂
maybe you can explain to me why the DATETIME_CONFIG made this problem ? or maybe it is the Timestamp lookahead ?
looks like im missing something very basic

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-27-2019 03:09 AM

Date_config has 3 potential values, "NONE", "CURRENT" or "/etc/datetime.xml" (or another config file)
The default is /etc/datetime.xml, so i wonder if leaving it as 'DATETIME_CONFIG=' was confusing things.

The lookahead specifies how many characters after the prefix the date exists in - "Sep 20 23:29:54" is exactly 15 characters, so setting this specifically forces Splunk to look only in those 15 characters for the time.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎03-27-2019 03:18 AM

thanks !

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...