Hi.
I've just started with Splunk and need help setting up file input. The log files looks like the below. A header row and one row per event. Each event starts with a number from 0 to whatever, the date, the time and a lot of other fields - all fields separated by semicolon
0;30Jun2012;23:30:00;
567498;1Jul2012;11:26:44;
What I need help with is setting up the recognition. Auto does not work and I'm no too good with regular expressions.
Anyone?
Share and enjoy
Kjetil
It's not regular expressions you need, but rather strftime/strptime
style definitions. I usually go to http://strftime.org/ for a quick reference on them - or if the short version there doesn't cover what I want, I do man strftime
in a UNIX shell. These definitions should go in the TIME_FORMAT
directive in the appropriate section in props.conf
. So for your logs it should be something like:
[your_sourcetype]
TIME_FORMAT = %e%b%Y;%H:%M:%S