Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with props.

theouhuios
Motivator
‎06-25-2013 06:13 PM

Hello

This is the props.conf which I have now

[xxx]
TIME_FORMAT = %a %m/%d/%Y %H:%M:%S.%2N (Is this supposed to be %3N? Even then it doesn't work. Becuase of this I have a regex to extract the time.But somehow even that doesn't populate timestamp field.Instead to make the regex work,I have to call it with "time" as field)
SHOULD_LINEMERGE = False
LINE_BREAKER =  \r\n\s+\(.*\)([\r\n])
TRUNCATE = 999999
MAX_TIMESTAMP_LOOKAHEAD = 12

and this is how each event is in the data

Tue 06/25/2013 19:55:46.91 

SERVICE_NAME: TL_SearchSvr 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

I am kinda lost on why is the timestamp field not being extracted. Any help please

Tags (1)
0 Karma
Reply

Ayn
Legend
‎06-25-2013 11:25 PM

I think you're making this much more complicated than it needs to be. All you need to do to make everything work properly is make sure your timestamps are being recognized - that should also solve your event breaking problems, because by default Splunk breaks into a new event whenever it recognizes a valid timestamp.

The obvious problem I see with your config is that you have MAX_TIMESTAMP_LOOKAHEAD set to 12, so you're telling Splunk to only look at the first 12 characters and then try to match those against your TIME_FORMAT. So for your sample event, it tries to match Tue 06/25/20 (rest is cut off). You should just remove the MAX_TIMESTAMP_LOOKAHEAD altogether, along with...well, the rest of your configuration directives really 🙂 Remove LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE...Possibly even including TIME_FORMAT because I suspect Splunk will recognize the timestamp out of the box, but this might not be the case.

So the resulting stanza would be something like

[xxx]
TIME_FORMAT = %a %m/%d/%Y %H:%M:%S.%2N

(btw, your TIME_FORMAT should indeed have %2N, not %3N, because there's 2 digits after the decimal point, not 3.)

Also as a general note I find that it's often much easier to work with event breaking settings instead of trying to setup custom line breakers.

Reply

asimagu
Builder
‎06-25-2013 07:54 PM

try this one:

TIME_FORMAT = %a\s%m/%d/%Y\s%H:%M:%S.%2N
LINE_BREAKER =  \r\n\s+\(.*\)([\r\n])
TRUNCATE = 999999
MAX_TIMESTAMP_LOOKAHEAD = 27

alt text

0 Karma
Reply

asimagu
Builder
‎06-26-2013 05:48 PM

I was just advising what worked for me when I replicated theouhuios' problem on my laptop, I am editing my answer to add a screenshot of my results.
Of course I always respect what your workmate has to say 😉

0 Karma
Reply

Ayn
Legend
‎06-26-2013 06:46 AM

_time ALWAYS gets populated. If a string matching your TIME_FORMAT is found in the event that's used. If no match is found Splunk will resort to other methods. See more here: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

0 Karma
Reply

theouhuios
Motivator
‎06-26-2013 06:31 AM

Should Time_format config effect the timestamp field in the data? I thought timestamp field gets populated when the Time_FORMAT config works fine. Am I right?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-26-2013 05:37 AM

You should set SHOULD_LINEMERGE = false if you intend to use LINE_BREAKER. While I like the LINE_BREAKER approach over the SHOULD_LINEMERGE, for performance reasons, I think that Ayn has some solid advice below.

0 Karma
Reply

asimagu
Builder
‎06-25-2013 10:22 PM

well I did not see the should_linemerge line there, but I don´t think it should affect. when cleaning the index, maybe you can try cleaning the one where the data got indexed and the _thefishbucket
I´m guessing the problem is around the issue of reindexing the events with this new config, either that or create new test events

0 Karma
Reply

theouhuios
Motivator
‎06-25-2013 10:02 PM

still doesnt work. Di i need to remove Should_linemerge? I don't think will affect it.

0 Karma
Reply

theouhuios
Motivator
‎06-25-2013 09:29 PM

Yup, I know how to clean the index. But its still test data so no worries about it.

0 Karma
Reply

theouhuios
Motivator
‎06-25-2013 09:28 PM

oh.. missed that.. let me try that..I guess I missed that part while checking things.

0 Karma
Reply

asimagu
Builder
‎06-25-2013 08:47 PM

did u notice that I changed the MAX_TIMESTAMP_LOOKAHEAD ?

0 Karma
Reply

asimagu
Builder
‎06-25-2013 08:46 PM

I replicated your log on my laptop and it worked.
The data that was already indexed is not going to change unless you clean the index, do u know how to do that?

0 Karma
Reply

theouhuios
Motivator
‎06-25-2013 08:43 PM

Still the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...