- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- PROPS Conf-TIME_PREFIX and TIME_FORMAT for Complex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a complex data source (sample events given below). Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.
FOAT A BRMCPRD FMM0 0080 0 0 CFOL.OLG.GENERIC.REQUEST.FIT1 2021-06-14 00:03:48.165
FOAT A RCTID QMGR NAME INDS I/P CNT O/P CNT MQ Series Q name 2021-06-14 00:03:48.162
FOAT A -------- ---------------- RCTID ---- ------- ------- ------------------------------- 2021-06-14 00:03:48.163
FOAT A IOB FRAME COMMON SWB XWB ECB FRM1MB 2021-06-14 00:08:09.521
FOAT A BRMCPRD FMM0 0080 0 0 CFOL.OLG.GENERIC.REQUEST.FIT1 2021-06-14 00:28:09.361
FOAT A 1 0 4 4 20 0.86 499.26 1.68 2021-06-14 00:28:09.445
FOAT A 2 0 3 2 3 1.19 498.92 2.19 2021-06-14 00:28:09.446
FOAT A 3 0 2 2 2 1.17 498.95 2.20 _ 2021-06-14 00:28:09.447
FOAT A 4 0 4 2 10 1.24 498.87 2.27 2021-06-14 00:28:09.448
FAAT A END OF DISPLAY+ 2021-06-14 00:28:09.449
DFAT A Utilization OK .7 - .7 / .3 - .3 _ 2021-06-14 23:58:11.233
DFAT A CFCAOL Message Rate OK 0.0 / 0.0 2021-06-14 23:58:11.234
FISA A DASRS Message Rate OK 0.0 / 0.0 2021-06-14 23:58:11.235
FISA A Command Code timeouts past Min OK c-0 / i-0 / b-0 2021-06-14 23:58:11.236
FIAT A BTIF Response Time OK n-0 / r-0 / t-0 2021-06-14 23:58:11.237
FIST A Serv Ctr or C-Codes Disabled OK 2 2021-06-14 23:58:11.238
BNAT A 02303F80 *ENBL* AN AT AU BR CI FR KC ME OG PH 2021-06-14 23:30:04.120
PODA A CFOL 0.0 0.0 2021-06-14 18:56:09.072
PODA A IDRS 0.0 0.0 2021-06-14 18:56:09.073
PODA A EFTP 0.0 0.0 2021-06-14 18:56:09.074
TBCA A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR 2021-06-15 00:00:00.195
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N that's the easy part.
The TIME_PREFIX setting will just be some number of spaces. Don't try to describe each event from beginning to timestamp. A simple TIME_PREFIX = \s+ should do.
You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N that's the easy part.
The TIME_PREFIX setting will just be some number of spaces. Don't try to describe each event from beginning to timestamp. A simple TIME_PREFIX = \s+ should do.
You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.
If this reply helps you, Karma would be appreciated.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
