How do I configure props.conf to recognize the pro...

daniel333 · ‎12-03-2015

Hello,

I have an issue where a small percentage of my logs are coming in dated 2011. I tracked it down to a field called usernum=* where some subset of the users account numbers match Epoch time format. So Splunk uses that time as the time. The correct field it should use it start.

I assume there is someway to set in the props.conf on the indexers to say

[mysourcetype]
Time_Use_Field=start

But for the life of me the time documentation is going over my head.

MuS · ‎12-03-2015

Hi daniel333,

try using TIME_PREFIX in props.conf

TIME_PREFIX = <regular expression>
* If set, splunk scans the event text for a match for this regex in event
  text before attempting to extract a timestamp.
* The timestamping algorithm only looks for a timestamp in the text
  following the end of the first regex match.
* For example, if TIME_PREFIX is set to "abc123", only text following the
  first occurrence of the text abc123 will be used for timestamp extraction.
* If the TIME_PREFIX cannot be found in the event text, timestamp extraction
  will not occur.
* Defaults to empty.

so, assuming your field looks like this start=epochyou can try this:

[mysourcetype]
TIME_PREFIX = start=

But also be aware of the second last line If the TIME_PREFIX cannot be found in the event text, timestamp extraction will not occur. So make sure the start fields is always available in your events.

Hope this helps ...

cheers, MuS

How do I configure props.conf to recognize the proper timestamp for my logs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases