Splunk Search

Need help with regex in props.conf

dmenon84
Path Finder

Hi all,

Here is how my raw logs look. I need help with props.conf so that I can index by the second time field instead of the first one.

Sep 19 12:45:19 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:25:16.056 devname=123 device_id=123 type=alert

Thanks in advance

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=

View solution in original post

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @dmenon84, if @cpetterborg's solution+comment worked then please don't forget to accept his answer to award karma points and close the question. 🙂

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
0 Karma

dmenon84
Path Finder

Thanks for quick response. Before I try this what do you think about my line breaker in props file

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w+\s+\d+\s\d{2}:\d{2}:\d{2}

Each events starts with a timestamp

Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=1123 device_id=abc type=alert
Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=123 device_id=cde type=alert

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

More easily understood is the ^ instead of ([\n\r]+), be more specific on the month, and use BREAK_ONLY_BEFORE, so I'd do:

BREAK_ONLY_BEFORE = ^\w{3}\s+\d+\s\d{2}:\d{2}:\d{2}
0 Karma

dmenon84
Path Finder

Thank you for all the help !

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...