Hello,
I have a file exampleFile that has two different timestamp/event formats:
~02 07 10:19:24 OIT-FO-OFR2 NSSTRAP
and
Feb 05 18:58:43 ANSU-OPS-2 checkpn: OK:ABM3CANDAF34018
As both timestamps do not contain the year, splunk does not manage to correctly index the events.
I therefore override both sourcetypes on a per-event basis.
In props.conf:
[source::.../exampleFile]
TRANSFORMS-event_1 = event_1
TRANSFORMS-event_2 = event_2
[FORMAT_1]
NO_BINARY_CHECK = 1
TIME_FORMAT =%b %d %H:%M:%S
[FORMAT_2]
NO_BINARY_CHECK = 1
TIME_PREFIX =^\~
TIME_FORMAT =%m %d %H:%M:%S
In transforms.conf:
[event_1]
REGEX = \w{3}\s\d{2}\s\d{2}\:\d{2}\:\d{2}\s.+
FORMAT = sourcetype::FORMAT_1
DEST_KEY = MetaData:Sourcetype
[event_2]
REGEX = \~\d{2}\s\d{2}\s\d{2}\:\d{2}\:\d{2}\s.+
FORMAT = sourcetype::FORMAT_2
DEST_KEY = MetaData:Sourcetype
This works, the sourcetype is correctly assigned to each type, but the indexed timestamps stay wrong.
Any ideas on how I can correctly assign the TIME_FORMAT to the per-event overrided sourcetype?
PS: When I upload a file only containing one event format, and when I assign this file directly to a sourcetype FORMAT_1 or FORMAT_2, the TIME_FORMAT definition works correctly
... View more