Solved: Re: time_format help

AzmathShaik · ‎12-22-2020

Hello All,

i have source with events

****4007656256*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:01:30
Partition not defined for this node:
****4062182208*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:01
Partition not defined for this node:
****4062182208*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:01
Partition not defined for this node:
****4059036480*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:00
Partition not defined for this node:
****4007656256*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:00
Partition not defined for this node:
****4059036480*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:00
Partition not defined for this node:
****4007656256*vwxmsghdlr.cpp*03523*08000*2020DEC22*14:00:00
Partition not defined for this node:
****4029676352*vwxmsghdlr.cpp*03523*08000*2020DEC22*13:58:54
Partition not defined for this node:

can someone help me in writing TIME_PREFIX and LINE_BREAKER?

richgalloway · ‎12-22-2020

Try these settings.

[mysourcetype]
LINE_BREAKER = ([\r\n])\*{4}
SHOULD_LINEMERGE = false
TIME_PREFIX = \*\d{5}\*\d{5}\*
TIME_FORMAT = %Y%b%d*%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 18

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-22-2020

Try these settings.

[mysourcetype]
LINE_BREAKER = ([\r\n])\*{4}
SHOULD_LINEMERGE = false
TIME_PREFIX = \*\d{5}\*\d{5}\*
TIME_FORMAT = %Y%b%d*%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 18

---
If this reply helps you, Karma would be appreciated.

time_format help

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms