Sample Log Data:
20150121
1
101834
10:18:34:794
2953 1
CN0010001
HARI1
GROUP.DEBIT.INT
1 I
150121101834794
How should I configure props.conf to take 150121101834794
as the timestamp and break the event after that.
Please try below
[logs]
TIME_PREFIX = 1\sI\s+
TIME_FORMAT = %y%m%d%H%M%S%3N
ya, I think this should work - but the text-formatting on this site seems to have messed up the answer here (for TIME_PREFIX).. it should instead be TIME_PREFIX = 1\s|\s+
but then again, you'll need to confirm the 1 |
always appear just before the date/time string - otherwise you'll probably be better off using MAX_TIMESTAMP_LOOKAHEAD = ###
- ### is some number of characters into the event Splunk should look for a timestamp
Is "150121101834794" a static string?
yes this is basically a complete event
20150121
1
101834
10:18:34:794
2953 1
CN0010001
HARI1
GROUP.DEBIT.INT
1 I
150121101834794
this 150121101834794 is time given in event .. after this a new event is start with a same pattren
we have used time format for this event %y%m%d%H%M%S%3N