Splunk Search

PROPS Conf-TIME_PREFIX and TIME_FORMAT for Complex Source File

SplunkDash
Motivator

Hello,

I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.

 

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:03:48.165

FOAT     A  RCTID     QMGR NAME      INDS I/P CNT O/P CNT     MQ Series Q name                                2021-06-14 00:03:48.162

FOAT     A -------- ---------------- RCTID     ---- ------- ------- -------------------------------                     2021-06-14 00:03:48.163

FOAT     A                        IOB   FRAME  COMMON     SWB     XWB     ECB     FRM1MB                      2021-06-14 00:08:09.521

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:28:09.361

FOAT     A      1       0        4        4       20        0.86   499.26     1.68                            2021-06-14 00:28:09.445

FOAT     A      2       0        3        2        3        1.19   498.92     2.19                            2021-06-14 00:28:09.446

FOAT     A      3       0        2        2        2        1.17   498.95     2.20 _                          2021-06-14 00:28:09.447

FOAT     A      4       0        4        2       10        1.24   498.87     2.27                            2021-06-14 00:28:09.448

FAAT     A END OF DISPLAY+                                                                                    2021-06-14 00:28:09.449

DFAT     A Utilization                     OK   .7 - .7 / .3 - .3 _                                           2021-06-14 23:58:11.233

DFAT     A CFCAOL Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.234

FISA    A DASRS Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.235

FISA  A Command Code timeouts past Min  OK   c-0 / i-0 / b-0                                               2021-06-14 23:58:11.236

FIAT     A BTIF Response Time              OK   n-0 / r-0 / t-0                                               2021-06-14 23:58:11.237

FIST     A Serv Ctr or C-Codes Disabled    OK   2                                                             2021-06-14 23:58:11.238

BNAT     A 02303F80       *ENBL* AN AT AU BR CI FR KC ME OG PH                                                2021-06-14 23:30:04.120

PODA     A CFOL         0.0        0.0                                                                        2021-06-14 18:56:09.072

PODA     A IDRS         0.0        0.0                                                                        2021-06-14 18:56:09.073

PODA     A EFTP         0.0        0.0                                                                        2021-06-14 18:56:09.074

TBCA     A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR     2021-06-15 00:00:00.195

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...