Hello!
Given an event like this:
PSMONITORSRV.32876010 (0) [09/15/12 09:16:20](3) PSJNI: Created a Java VM instance
I have two questions:
Thanks!
Just given one event, it's not easy to give a regex that will always work. Try rex
to find a regex that will match the correct part of the event. The following might work for you.
... | rex "^(?:\S+\s+){3}(?<msg>.*)$"
If Splunk does not capture the timestamp in the event correctly, you may have to edit the props.conf on the splunk server where the PARSING takes place. Normally that would be the Indexer, but if you have Heavy Forwarders, that's where you would make the configuration.
props.conf
[your_sourcetype]
TIME_PREFIX = \[
TIME_FORMAT = %m/%d/%y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 40
Hope this helps,
Kristian
Just given one event, it's not easy to give a regex that will always work. Try rex
to find a regex that will match the correct part of the event. The following might work for you.
... | rex "^(?:\S+\s+){3}(?<msg>.*)$"
If Splunk does not capture the timestamp in the event correctly, you may have to edit the props.conf on the splunk server where the PARSING takes place. Normally that would be the Indexer, but if you have Heavy Forwarders, that's where you would make the configuration.
props.conf
[your_sourcetype]
TIME_PREFIX = \[
TIME_FORMAT = %m/%d/%y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 40
Hope this helps,
Kristian
Thank you as well for your response. I plan to give these a try later today. Thanks again!
🙂 indeed
🙂 we should stop meeting like this
Regex (assuming general format stays the same): "\[\d+/\d+/\d+\s+\d+:\d+:\d+\]\(\d+\)(?P<yourField>.*)$
"
You can test regular expressions on you data using the following web-based tool: http://gskinner.com/RegExr/
For timestamp recognition you should look at the following docs: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
So for example for you data sourcetype you could configure something like:
[yourSourcetype]
MAX_TIMESTAMP_LOOKAHEAD = <integer>
TIME_PREFIX = <regular expression>
TIME_FORMAT = <strptime-style format>
External resource for strptime format: http://linux.die.net/man/3/strptime
Thank you for your response. I will give this a try and report back!
Oh dear..... not again...