Getting Data In

TImestamp assignment for an event

AnithaL
New Member

Hi ,

Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.

1 ) a
2 ) a1
3 ) a2
4 ) a3
5 ) a4
6 ) a5
7 ) begin script 2013-01-15 02:26:27::Status :0
8 ) Run_Job ::2013-01-15 02:26:27::pmcmd Return Code=0
9 ) Run_Job ::2013-01-15 02:26:27::Workflow wf_FF completed Successfully..
10 ) _Upd_DT_ID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wf_FF
11 ) *** Warning: EOF on INPUT stream.
12 ) *** Warning: EOF on INPUT stream.
13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCE_FLAT_FILE_NAME updated successfully.
14 ) *** Warning: EOF on INPUT stream.
15 ) *** Warning: EOF on INPUT stream.
16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.
17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file
18 ) ::2013-01-15 02:30:16::Successfully removed Temp file
19 ) ::2013-01-15 02:30:16::End processing for workflow wf_FF
20 ) ### Command completed.

For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.

Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.

Thanks in advance.

Anitha.

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.

0 Karma

Ayn
Legend
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In-depth documentation is http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction and http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf

In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.

0 Karma

AnithaL
New Member

Hi

I am new to Splunk , not sure how to use TIME_PREFIX.

Regards,
Anitha

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...