Splunk Search

PROPS Conf-TIME_PREFIX and TIME_FORMAT for Complex Source File

malekmo
Contributor

Hello,

I have a complex data source (sample events given below).  Is there any way I can write TIME_PREFIX and TIME_FORMAT for this data source? Thank you so much, greatly appreciated.

 

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:03:48.165

FOAT     A  RCTID     QMGR NAME      INDS I/P CNT O/P CNT     MQ Series Q name                                2021-06-14 00:03:48.162

FOAT     A -------- ---------------- RCTID     ---- ------- ------- -------------------------------                     2021-06-14 00:03:48.163

FOAT     A                        IOB   FRAME  COMMON     SWB     XWB     ECB     FRM1MB                      2021-06-14 00:08:09.521

FOAT     A BRMCPRD  FMM0             0080       0       0 CFOL.OLG.GENERIC.REQUEST.FIT1                       2021-06-14 00:28:09.361

FOAT     A      1       0        4        4       20        0.86   499.26     1.68                            2021-06-14 00:28:09.445

FOAT     A      2       0        3        2        3        1.19   498.92     2.19                            2021-06-14 00:28:09.446

FOAT     A      3       0        2        2        2        1.17   498.95     2.20 _                          2021-06-14 00:28:09.447

FOAT     A      4       0        4        2       10        1.24   498.87     2.27                            2021-06-14 00:28:09.448

FAAT     A END OF DISPLAY+                                                                                    2021-06-14 00:28:09.449

DFAT     A Utilization                     OK   .7 - .7 / .3 - .3 _                                           2021-06-14 23:58:11.233

DFAT     A CFCAOL Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.234

FISA    A DASRS Message Rate               OK   0.0 / 0.0                                                     2021-06-14 23:58:11.235

FISA  A Command Code timeouts past Min  OK   c-0 / i-0 / b-0                                               2021-06-14 23:58:11.236

FIAT     A BTIF Response Time              OK   n-0 / r-0 / t-0                                               2021-06-14 23:58:11.237

FIST     A Serv Ctr or C-Codes Disabled    OK   2                                                             2021-06-14 23:58:11.238

BNAT     A 02303F80       *ENBL* AN AT AU BR CI FR KC ME OG PH                                                2021-06-14 23:30:04.120

PODA     A CFOL         0.0        0.0                                                                        2021-06-14 18:56:09.072

PODA     A IDRS         0.0        0.0                                                                        2021-06-14 18:56:09.073

PODA     A EFTP         0.0        0.0                                                                        2021-06-14 18:56:09.074

TBCA     A AAES0009I 00.00.00 FROM TA 0A : AAER0412I ACT: Variation RASIGN activated from dir F:\TESTAVENVAR     2021-06-15 00:00:00.195

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N  that's the easy part.

The TIME_PREFIX setting will just be some number of spaces.  Don't try to describe each event from beginning to timestamp.  A simple TIME_PREFIX = \s+ should do.

You should also set MAX_TIMESTAMP_LOOKAHEAD to a high enough value to find the timestamp at the end of the longest event.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!