Splunk Search

PROPS Conf-TIME_PREFIX and TIME_FORMAT for Complex Source File

SplunkDash
Motivator

Hello,

I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.

 

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:03:48.165

FOAT     A  RCTID     QMGR NAME      INDS I/P CNT O/P CNT     MQ Series Q name                                2021-06-14 00:03:48.162

FOAT     A -------- ---------------- RCTID     ---- ------- ------- -------------------------------                     2021-06-14 00:03:48.163

FOAT     A                        IOB   FRAME  COMMON     SWB     XWB     ECB     FRM1MB                      2021-06-14 00:08:09.521

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:28:09.361

FOAT     A      1       0        4        4       20        0.86   499.26     1.68                            2021-06-14 00:28:09.445

FOAT     A      2       0        3        2        3        1.19   498.92     2.19                            2021-06-14 00:28:09.446

FOAT     A      3       0        2        2        2        1.17   498.95     2.20 _                          2021-06-14 00:28:09.447

FOAT     A      4       0        4        2       10        1.24   498.87     2.27                            2021-06-14 00:28:09.448

FAAT     A END OF DISPLAY+                                                                                    2021-06-14 00:28:09.449

DFAT     A Utilization                     OK   .7 - .7 / .3 - .3 _                                           2021-06-14 23:58:11.233

DFAT     A CFCAOL Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.234

FISA    A DASRS Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.235

FISA  A Command Code timeouts past Min  OK   c-0 / i-0 / b-0                                               2021-06-14 23:58:11.236

FIAT     A BTIF Response Time              OK   n-0 / r-0 / t-0                                               2021-06-14 23:58:11.237

FIST     A Serv Ctr or C-Codes Disabled    OK   2                                                             2021-06-14 23:58:11.238

BNAT     A 02303F80       *ENBL* AN AT AU BR CI FR KC ME OG PH                                                2021-06-14 23:30:04.120

PODA     A CFOL         0.0        0.0                                                                        2021-06-14 18:56:09.072

PODA     A IDRS         0.0        0.0                                                                        2021-06-14 18:56:09.073

PODA     A EFTP         0.0        0.0                                                                        2021-06-14 18:56:09.074

TBCA     A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR     2021-06-15 00:00:00.195

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...