Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit props.conf to cope with two different time values in log file

ssaenger
Communicator
‎09-19-2017 06:51 AM

Hi All,

I have created an index and sourcetype for two logs files.
I have set up my props.conf to extract the date/time and separate onto one line, however one of my logs has a colon after the time and it is not separating out correctly.

see below.

19/09/2017     13:34:51.438 
2017-09-19 13:34:51.438683 [ptp1:pps--phc1(ens1f0/ens1f1)], last: 0, mean: 0, min: 2147483647, max: -2147483647, bad-period: 0, 
overflows: 0
19/09/2017 13:34:51.437 
2017-09-19 13:34:51.437853: warning: ptp ptp1: failed to receive Announce within 12.000 seconds
2017-09-19 13:34:51.437898: debug: ptp ptp1: state PTP_LISTENING 
2017-09-19 13:34:51.437911: debug: netRefreshIGMP
19/09/2017 13:34:50.823 
2017-09-19 13:34:50.823439 [phc0(ens1f0/ens1f1)->system], offset: -8.875, freq-adj: -42949.984, in-sync: 1

my props.conf file
[ptp_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}\s
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_PREFIX = ^

If I put a colon into regex it will miss the other log file.
Is the only way to do this two sourcetypes?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-19-2017 06:56 AM

try this...

BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}[\s:]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-19-2017 06:56 AM

try this...

BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}[\s:]
0 Karma
Reply
Solved! Jump to solution

ssaenger
Communicator
‎09-19-2017 08:15 AM

worked a treat thanks.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...