Splunk Search

PROPS Conf-Time_FORMAT and TIME_PREFIX

SplunkDash
Motivator

Hi,

How would I write Time_FORMAT and TIME_PREFIX for my Props Conf file for the following sample events. Any help will be highly appreciated. Thank you so much.

RTJCB|DEMOEE|AFFR|ANALYST   |VIEWSUMMARY    |XYA565656873                ||12.214.61.90|00|                                                            |20210730 13:00:26:907|   |000000|030|ACMF|0|  STJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |YNA565656873                ||12.214.61.90|00|                                                            |20210730 13:00:29:045|      |000000|030|ACMF|0|      TRJCB|DEMO|AFFR|ANALYST   |VIEWSUMMARY    |XBC565656873                ||12.214.61.90|00|                                                            |20210730 13:00:30:421|       |000000|030|ACMF|0|  RXJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |DCN132748456                ||12.214.61.90|00|                                                            |20210730 13:00:40:273|     |201512|030|ACMF|0|     DSJCB|DEMOEE|AFFR|ANALYST   |UPDATECASE     |CBB132748456                ||12.214.61.90|01|Attempt to update to an code                 |20210730 13:00:47:347|        |201512|030|ACMF|0|             

RXJCB|DEMOEE|AFFR|ANALYST   |VIEWCASE       |ABB132748456                ||12.214.61.90|00|                                                            |20210730 13:00:48:519|          |201512|030|ACMF|0|       

 

 

Labels (1)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Format based on your data is

%Y%m%d %H:%M:%S:%Q

and prefix is

([^\|]*\|){10}

which is looking for the 10th PIPE symbol in the data

 

 

SplunkDash
Motivator

Thank you so much, appreciated

I used this one as well. Only problem when I use this double pipe "||". If I use {9} without this "||" (i.e, replace "||" with "|") working as expected, but, getting error message when I have "||" in the events. Any help will be highly appreciated. 

0 Karma

SplunkDash
Motivator

I think I am good, working as expected. Thank you again, truly appreciated your support in this effort.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...