Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Another timestamp question

Greg_LeBlanc
Path Finder
‎10-06-2011 12:07 PM

I am having a difficult time extracting the correct timestamp from a specific log.

As you can see below, the beginning of the log entry there are two timestamps back to back. 

2851,10/06/2011,18:59:29,10/06/2011,14:59:29,1011,

Here is my props.conf

    [sourcetype]
    MAX_TIMESTAMP_LOOKAHEAD = 20
    TZ = America/New_York
    TIME_PREFIX = \d{4},\d{2}/\d{2}/\d{4},\d{2}\:\d{2}\:\d{2},

The first timestamp is still being extracted. See anything wrong here?

EDIT: Can I perform these actions on a Universal Forwarder? Now that I think about it, I can't. Only a Heavy forwarder, correct?

EDIT: Looks like this was my fault. I had been trying this on a Universal Forwarder - I moved this to my Heavy Forwarder and it works! Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2011 01:21 PM

Yep, only on an install that supports indexing (which light and universal disable). http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2011 01:21 PM

Yep, only on an install that supports indexing (which light and universal disable). http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities

Reply
Solved! Jump to solution

Greg_LeBlanc
Path Finder
‎10-06-2011 01:41 PM

Thanks! I will move the props.conf to our Heavy Forwarder.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2011 01:21 PM

I guess I was a little unclear on which comma. I meant the one in the middle of the date and time, not the one on the end.

10/06/2011*,*14:59:29,

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎10-06-2011 01:21 PM

The extra character in MAX_TIMESTAMP_LOOKAHEAD shouldn't stop this from working. In fact, sometimes to be safe I'll intentionally add an extra digit if there things like a space or comma. I haven't noticed any strange behavior because of this, but the approach mentioned here is a valid.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2011 01:21 PM

I've never really used the TIME_PREFIX, however from what I'm reading, the parser will try and find the TIME_PREFIX pattern first (which should match 2851,10/06/2011,18:59:29,) and then look the next 20 characters (from MAX_TIMESTAMP_LOOKAHEAD), which should then match 10/06/2011,14:59:29, which includes the comma. And since there is a comma, its not a "true" timestamp, as you will only have either a date or a time in the string. So it is never actually finding the second timestamp. There is also no need to escape the colons.

Try this:

TIME_FORMAT = %m/%d/%Y,%H:%M:%S

TIME_PREFIX = \d{4},\d{2}/\d{2}/\d{4},\d{2}:\d{2}:\d{2},

More details here

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎10-06-2011 12:46 PM

Your TIME_PREFIX looks okay in my estimation. It also looks like your MAX_TIMESTAMP_LOOKAHEAD is correct. If that isn't working, I would suggest you try specifying TIME_FORMAT as well. This needs to be done where the data is parsed, so on the Heavy Forwarder, or on the indexer which the forwarder is sending, presuming a forwarder is part of the picture.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

I think that this should be the correct format:

TIME_FORMAT = %m/%d/%Y,%H:%M:%S
0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎10-06-2011 01:08 PM

corrected. thanks!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2011 01:02 PM

Your %Y needs capitalized to match the 4 digit year.

0 Karma
Reply
Solved! Jump to solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎10-06-2011 12:42 PM

As far as I can see your MAX_TIMESTAMP_LOOKAHEAD = 20 only gets you as far as "9:29,10/06/2011,14:59:29,1011,"

Try changing your MAX_TIMESTAMP_LOOKAHEAD=25.

0 Karma
Reply
Solved! Jump to solution

Greg_LeBlanc
Path Finder
‎10-06-2011 12:56 PM

Thanks for the answer, I tried this and no luck!

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎10-06-2011 12:52 PM

This is actually not correct. Using TIME_PREFIX tells splunk what precedes the timestamp. When MAX_TIMESTAMP_LOOKAHEAD is used in conjunction with TIME_PREFIX, you are telling splunk to look ahead as many characters as you've specified after matching the regex in TIME_PREFIX. In this case, it would start at the second timestamp and look 20 characters ahead, means it should see '10/06/2011,14:59:29' as the timestamp.

0 Karma
Reply
Solved! Jump to solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎10-06-2011 12:50 PM

Oops i got confused on this! Indeed your MAX_TIMESTAMP_LOOKAHEAD is correct.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...