Solved: Help with Time prefix and date format

nipendo · ‎01-16-2018

What time prefix and time format should I use.
I will appreciate your help with this one.

=INFO REPORT==== 15-Jan-2018::09:51:48 ===
connection <0.9091.502> (192.168.1.56:61982 -> 192.168.1.81:5672): user aaaa' authenticated and granted access to vhost '/'

=INFO REPORT==== 15-Jan-2018::09:51:48 ===
closing AMQP connection <0.9091.502> (192.168.1.56:61982 -> 192.168.1.81:5672, vhost: '/', user: 'aan')

=WARNING REPORT==== 15-Jan-2018::09:51:48 ===
Could not find handle.exe, please install from sysinternals

mayurr98 · ‎01-17-2018

hey try this

TIME_FORMAT = %d-%b-%Y::%H:%M:%S
TIME_PREFIX = REPORT====\s

let me know if this helps !

View solution in original post

richgalloway · ‎01-17-2018

Try these settings.

TIME_PREFIX = =
TIME_FORMAT = %d-%b-%Y::%H:%M:%S

---
If this reply helps you, Karma would be appreciated.

mayurr98 · ‎01-17-2018

hey try this

TIME_FORMAT = %d-%b-%Y::%H:%M:%S
TIME_PREFIX = REPORT====\s

let me know if this helps !

cmerriman · ‎01-17-2018

are you trying to extract a timestamp from these logs during index or during search?

nipendo · ‎01-17-2018

i am trying to index these logs.
i want to know what should i write in props.conf
like:
MAX_TIMESTAMP_LOOKAHEAD = 50
NO_BINARY_CHECK = true
TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
TIME_PREFIX = ^
category = Custom

Help with Time prefix and date format

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life