Getting Data In

How to configure props.conf for my sample data to recognize the correct timestamp and break the event after that?

splunk47
New Member

Sample Log Data:

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

How should I configure props.conf to take 150121101834794 as the timestamp and break the event after that.

Tags (2)
0 Karma

satishsdange
Builder

Please try below

[logs]
TIME_PREFIX = 1\sI\s+
TIME_FORMAT = %y%m%d%H%M%S%3N

klee310
Communicator

ya, I think this should work - but the text-formatting on this site seems to have messed up the answer here (for TIME_PREFIX).. it should instead be TIME_PREFIX = 1\s|\s+

but then again, you'll need to confirm the 1 | always appear just before the date/time string - otherwise you'll probably be better off using MAX_TIMESTAMP_LOOKAHEAD = ### - ### is some number of characters into the event Splunk should look for a timestamp

0 Karma

Ayn
Legend

Is "150121101834794" a static string?

0 Karma

splunk47
New Member

yes this is basically a complete event

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

this 150121101834794 is time given in event .. after this a new event is start with a same pattren
we have used time format for this event %y%m%d%H%M%S%3N

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...