Hello harsmarvania57,

Thank you.
Could you perhaps say how the first event will get the event time set in this case?
The string "information: (" is not there.
Also, the rest of the log entries look like the 3-rd one, separated with the [OK]. Will they be translated properly split and given the timestamp like in the case of the 3-rd one?

Kind Regards,
Kamil

Hi Kamil,

For the First event, splunk will not able to find timestamp because I have explicitly given TIME_PREFIX = information: \( so in this case splunk will assign system time when event actually parsed by splunk.

If you want to set timestamp for the First Event then you can change TIME_PREFIX as given below.

If you want Process start time: then TIME_PREFIX = (information: \(|Process start time: )

If you want Exception time: then TIME_PREFIX = (information: \(|Exception time: )

I didn't get what you are trying to say for 3rd one but splunk will assign timestamp as 2018-11-30 21:01:01 972 to 3rd event. Is this what you are looking for?

Hello,

Thank you, I think the
TIME_PREFIX = (information: (|Exception time: )

is the option to choose. With the 3rd event I meant, that the file is big and has many sections/logs/events which look precisely like the 3rd log. I wanted to just reassure that the configuration above will correctly get them, but I guess this became obvious to me now.

Thank you, I will check the configuration proposed by you.

Kind Regards,
Kamil

Best to test this configuration in Standalone or Test environment and then implement it in production. I have converted my comment to answer and if it will work then you can accept it.

Hello,

One more question.
Unfortunately I noticed first now that the date prefix is not always "information: (", so sometimes the event time is set wrong. For example:
[CRASH_EMERGENCYSTACK] Emergency stacktrace: (2018-11-30 21:01:01 973 Local)

Also when I would like to define the prefix as only ": (" it will not work as there are other strings with this suffix. In principle I would need to define the prefix using the regex somehow, telling that this would be the line with the [] brackets and having the ": (" as a prefix.
Is it possible?

Kind regards,
Kamil

Hi Kamil,

Please try below config in props.conf

[yoursourcetype]
BREAK_ONLY_BEFORE_DATE=false
CHARSET=UTF-8
LINE_BREAKER=([\r\n+])\[\w+\]\s+\w+
MAX_TIMESTAMP_LOOKAHEAD=23
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S %3N
TIME_PREFIX=(?:\[\w+\]\s+\w+(?:\s+\w+)?\:\s\(|Exception\stime\:\s)
disabled=false

Hello harsmanvania57,

Thank you.
The above configuration works for all sections of the crashdump file but one and I do not why.
For the section below the timestamps seems not to be recognized correctly and the event time is set wrongly:

[CRASH_EXTINFO]  Extended exception info: (2018-12-03 12:29:34 058 Local)
----> Dump of siginfo contents <----
  signal:      11(SIGSEGV)
  code:        STACK OVERFLOW: 2(SEGV_ACCERR: invalid permissions for mapped object)

The event time set is 12:29:34.015 PM, so it is taken from the previous section.
The next section after that gets recognized already correctly (timestamp) and the event time is set in a right way:

[CRASH_CONTEXT]  Context info: (2018-12-03 12:29:34 058 Local)
----> Crashing context information <----
  ContextStack at (0x00007f3b4e31c460)

The event time set in this case is 12:29:34.058 PM, so it is correct.

Any hint why in this one case the timestamp does not get recognized correctly?

Kind Regards,
Kamil

As you don't have fixed number of words after [] and before : (, TIME_PREFIX regex didn't work for below content.

[CRASH_EXTINFO]  Extended exception info: (2018-12-03 12:29:34 058 Local)

Try TIME_PREFIX = (?:\[\w+\]\s+\w+(?:\s+\w+)*?\:\s\(|Exception\stime\:\s)