Getting Data In

How to configure props.conf to index a log with two or three timestamps?

dovelsh12223621
Path Finder

In myy log, there are two timestamp formats like this:

logname=test. msg=[007574][20150602 111413] aaa
logname=test. msg=[00022526][111400:808] bbbbbb

A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.

Tags (2)
0 Karma

woodcock
Esteemed Legend
0 Karma

stephane_cyrill
Builder
0 Karma

dovelsh12223621
Path Finder

Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.

0 Karma

stephane_cyrill
Builder

I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.

SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.

AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:

[source::]
TIME_PREFIX = ][
TIME_FORMAT = %y%m%d %H%M%S%3Q

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...