Help with TIME_PREFIX

a212830 · ‎04-06-2015

Hi,

I need some help setting up a TIME_PREFIX for the following:

INFO | jvm 1 | 2015/04/05 01:56:20 | Sametime Check: Sametime Session unloaded
INFO | jvm 1 | 2015/04/05 01:56:22 | Sametime Check: Slave thread complete; Stats:
INFO | jvm 1 | 2015/04/05 01:56:22 |

Can someone help me?

TIA.

gfuente · ‎04-06-2015

Hello

You can use this regex:

^[^\|]*\|[^\|]*\|\s*

regards

a212830 · ‎04-06-2015

Thanks. Doesn't seem to work. Still getting "could not use strptime to parse timestamp..." messages.

Here's my entire props.conf:

ANNOTATE_PUNCT = false
KV_MODE = auto
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 90
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = ^[^|]|[^|]|\s*
TIME_FORMAT = %Y/%M/%d %H:%M:%S

gfuente · ‎04-06-2015

Your time format is wrong, you should use:

%Y/%m/%d %H:%M:%S

a212830 · ‎04-06-2015

Grrr. Stupid me.

Thanks!

Help with TIME_PREFIX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

Help with TIME_PREFIX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...