Re: How to configure props.conf for my sample data...

splunk47 · ‎02-22-2015

Sample Log Data:

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

How should I configure props.conf to take 150121101834794 as the timestamp and break the event after that.

satishsdange · ‎02-23-2015

Please try below

[logs]
TIME_PREFIX = 1\sI\s+
TIME_FORMAT = %y%m%d%H%M%S%3N

klee310 · ‎02-23-2015

ya, I think this should work - but the text-formatting on this site seems to have messed up the answer here (for TIME_PREFIX).. it should instead be TIME_PREFIX = 1\s|\s+

but then again, you'll need to confirm the 1 | always appear just before the date/time string - otherwise you'll probably be better off using MAX_TIMESTAMP_LOOKAHEAD = ### - ### is some number of characters into the event Splunk should look for a timestamp

Ayn · ‎02-23-2015

Is "150121101834794" a static string?

splunk47 · ‎02-23-2015

yes this is basically a complete event

20150121
1
101834
10:18:34:794
2953 1

CN0010001
HARI1
GROUP.DEBIT.INT
1 I

150121101834794

this 150121101834794 is time given in event .. after this a new event is start with a same pattren
we have used time format for this event %y%m%d%H%M%S%3N

How to configure props.conf for my sample data to recognize the correct timestamp and break the event after that?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases