Splunk Search

Need help with regex in props.conf

dmenon84
Path Finder

Hi all,

Here is how my raw logs look. I need help with props.conf so that I can index by the second time field instead of the first one.

Sep 19 12:45:19 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:25:16.056 devname=123 device_id=123 type=alert

Thanks in advance

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=

View solution in original post

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @dmenon84, if @cpetterborg's solution+comment worked then please don't forget to accept his answer to award karma points and close the question. 🙂

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
0 Karma

dmenon84
Path Finder

Thanks for quick response. Before I try this what do you think about my line breaker in props file

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w+\s+\d+\s\d{2}:\d{2}:\d{2}

Each events starts with a timestamp

Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=1123 device_id=abc type=alert
Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=123 device_id=cde type=alert

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

More easily understood is the ^ instead of ([\n\r]+), be more specific on the month, and use BREAK_ONLY_BEFORE, so I'd do:

BREAK_ONLY_BEFORE = ^\w{3}\s+\d+\s\d{2}:\d{2}:\d{2}
0 Karma

dmenon84
Path Finder

Thank you for all the help !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...