Solved: Need help with regex in props.conf

dmenon84 · ‎09-19-2017

Hi all,

Here is how my raw logs look. I need help with props.conf so that I can index by the second time field instead of the first one.

Sep 19 12:45:19 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:25:16.056 devname=123 device_id=123 type=alert

Thanks in advance

cpetterborg · ‎09-19-2017

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=

View solution in original post

lfedak_splunk · ‎09-20-2017

Hey @dmenon84, if @cpetterborg's solution+comment worked then please don't forget to accept his answer to award karma points and close the question. 🙂

cpetterborg · ‎09-19-2017

You'll want to use something like this in the props.conf:

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=

dmenon84 · ‎09-19-2017

Thanks for quick response. Before I try this what do you think about my line breaker in props file

TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w+\s+\d+\s\d{2}:\d{2}:\d{2}

Each events starts with a timestamp

Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=1123 device_id=abc type=alert
Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=123 device_id=cde type=alert

cpetterborg · ‎09-19-2017

More easily understood is the ^ instead of ([\n\r]+), be more specific on the month, and use BREAK_ONLY_BEFORE, so I'd do:

BREAK_ONLY_BEFORE = ^\w{3}\s+\d+\s\d{2}:\d{2}:\d{2}

dmenon84 · ‎10-02-2017

Thank you for all the help !

Need help with regex in props.conf

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!