Getting Data In

Timestamp extraction props.conf

aaronkorn
Splunk Employee
Splunk Employee

Hello,

We have the following timestamp in our log but are unsure how to edit the props.conf to pick it up:

The format is MM/DD HH:MM YY

IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION
AA8AB241 0115010113 T O OPERATOR OPERATOR NOTIFICATION
BF05CF18 0115010013 I H pt3rmt04079 AAA5
BF05CF18 0115010013 I H pt3rmt04074 AAA5
BF05CF18 0115010013 I H pt3rmt04071 AAA5
BF05CF18 0115010013 I H pt3rmt04055 AAA5
BF05CF18 0115010013 I H pt3rmt04050 AAA5
BF05CF18 0115010013 I H pt3rmt04049 AAA5
BF05CF18 0115010013 I H pt3rmt04042 AAA5
BF05CF18 0115010013 I H pt3rmt04038 AAA5
BF05CF18 0115010013 I H pt3rmt04031 AAA5
BF05CF18 0115010013 I H pt3rmt04030 AAA5

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You may be looking for this:

TIME_FORMAT=%m%d%H%M%S
TIME_PREFIX=^\S+\s+

Note, the prefix may be wrong for other types of data you have. It just skips over the first word.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Works for me when taking your sample data into the data inputs preview.

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

This didnt seem to do it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...