Splunk Search

PROPS Conf-TIME_PREFIX and TIME_FORMAT for Complex Source File

SplunkDash
Motivator

Hello,

I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.

 

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:03:48.165

FOAT     A  RCTID     QMGR NAME      INDS I/P CNT O/P CNT     MQ Series Q name                                2021-06-14 00:03:48.162

FOAT     A -------- ---------------- RCTID     ---- ------- ------- -------------------------------                     2021-06-14 00:03:48.163

FOAT     A                        IOB   FRAME  COMMON     SWB     XWB     ECB     FRM1MB                      2021-06-14 00:08:09.521

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:28:09.361

FOAT     A      1       0        4        4       20        0.86   499.26     1.68                            2021-06-14 00:28:09.445

FOAT     A      2       0        3        2        3        1.19   498.92     2.19                            2021-06-14 00:28:09.446

FOAT     A      3       0        2        2        2        1.17   498.95     2.20 _                          2021-06-14 00:28:09.447

FOAT     A      4       0        4        2       10        1.24   498.87     2.27                            2021-06-14 00:28:09.448

FAAT     A END OF DISPLAY+                                                                                    2021-06-14 00:28:09.449

DFAT     A Utilization                     OK   .7 - .7 / .3 - .3 _                                           2021-06-14 23:58:11.233

DFAT     A CFCAOL Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.234

FISA    A DASRS Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.235

FISA  A Command Code timeouts past Min  OK   c-0 / i-0 / b-0                                               2021-06-14 23:58:11.236

FIAT     A BTIF Response Time              OK   n-0 / r-0 / t-0                                               2021-06-14 23:58:11.237

FIST     A Serv Ctr or C-Codes Disabled    OK   2                                                             2021-06-14 23:58:11.238

BNAT     A 02303F80       *ENBL* AN AT AU BR CI FR KC ME OG PH                                                2021-06-14 23:30:04.120

PODA     A CFOL         0.0        0.0                                                                        2021-06-14 18:56:09.072

PODA     A IDRS         0.0        0.0                                                                        2021-06-14 18:56:09.073

PODA     A EFTP         0.0        0.0                                                                        2021-06-14 18:56:09.074

TBCA     A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR     2021-06-15 00:00:00.195

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...