Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp lookahead

sarit_s
Communicator
‎06-18-2019 05:02 AM

Hello

i have this event for example:

$changeSystemTimeCmd 1533808153 -newTime 1533808153 -oldTime 1533808147

i need to set the timestamp to take the first number after the first string. in this can it is

$changeSystemTimeCmd

but it can be any string.
i tried with timestamp lookahead 30 but the problem is that i can't know what will be the length of this first string
how can i set timestamp lookahead regex to take the first number after first string ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-18-2019 05:18 AM

Hi,

You can use below configuration on Indexer/Heavy Forwarder whichever comes from UF to setup timestamp at index time if you don't have any whitespace in first string.

props.conf

[yoursourcetype]
TIME_FORMAT=%s
TIME_PREFIX=^(?:[^\s]+)\s
MAX_TIMESTAMP_LOOKAHEAD=10

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-18-2019 05:18 AM

Hi,

You can use below configuration on Indexer/Heavy Forwarder whichever comes from UF to setup timestamp at index time if you don't have any whitespace in first string.

props.conf

[yoursourcetype]
TIME_FORMAT=%s
TIME_PREFIX=^(?:[^\s]+)\s
MAX_TIMESTAMP_LOOKAHEAD=10
Reply
Solved! Jump to solution

sarit_s
Communicator
‎06-18-2019 05:22 AM

i don't have indexer or HF
im running on all in one configuration so the sourcetype configuration located on props.conf in the app

it is working ! can you please explain why MAX_TIMESTAMP_LOOKAHEAD=10 ?

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎06-18-2019 05:27 AM

If you are running standalone splunk instance then also it will work. I have tested same config in Add Data in my lab splunk instance and it is working for me.

MAX_TIMESTAMP_LOOKAHEAD will count after TIME_PREFIX, in above config TIME_PREFIX regex cover till first whitespace so this $changeSystemTimeCmd is captured with TIME_PREFIX regex and after that you have 10 digit epoch time format so I have given 10 in MAX_TIMESTAMP_LOOKAHEAD

0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎06-18-2019 05:33 AM

thanks for your answer
it is working

i see it is also work without MAX_TIMESTAMP_LOOKAHEAD
the thing is that im afraid that the epoch time will be with more than 10 digits so if it is not necessary to limit i think it will be better

what do you think ?

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎06-18-2019 05:35 AM

If you do not set MAX_TIMESTAMP_LOOKAHEAD then it will take default value which is 128 character, I'll suggest to define MAX_TIMESTAMP_LOOKAHEAD with max length of your epoch time.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...