Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changing collection of the timestamp of the event?

brandili
Explorer
‎07-10-2014 04:06 AM

Hello,

I have a problem I'm not able to solve.

I'm getting information from a server where two timestamp appear. Splunk is considering the first timestamp of the log. However, I would like Splunk consider only the second timestamp in the log line. How do I get splunk to recognize the second timestamp? Follows the example of the log below:

First timestamp - - - - -Second timestap

2014-07-09 10:22:00 - 2014-07-10 07:15:10 4 100 Notice License: License leased to user BRA01

2014-07-09 10:22:00 - 2014-07-10 07:15:02 4 100 Notice CAL usage: Using CAL of type "Named User" for user "BRA01"

Thanks.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2014 05:15 AM

Add a TIME_PREFIX statement to the appropriate stanza of your props.conf file.

TIME_PREFIX = .{22}

should tell Splunk to skip the first 22 characters before looking for a timestamp.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...