The following is one event of the data:
MACUL DIRP101 JUL14 00:00:00 5577 INFO DIRP_FLOW_LOG REASON= 15 SSYS#= 2
SSNAME= OM POOL#= 4 VOLUME#= 68 SOS_FILE_ID= 2949 0005 003C
TEXT1= SCHEDULED OG ROTATE COMPLETED, RECORDS: 46628 PARM1= 1978
TEXT2= VOL: D050OM3, FILE: A140913000088OM, ROTATE: PARM2= 2A67
I tried using timestamps tab when indexing the data, with not succesful results. I think I have been doing something wrong.
Thanks in advanced!
Sorry, but I don't know why the backslash symbol does not appear in my post. For the location pattern, the correct stanza is:
Location: Timestamp is always prefaced by pattern: MACUL(backslash)s+(backslash)S+(backslash)s
Sorry, but I don't know why the backslash symbol does not appear in my post. For the location pattern, the correct stanza is:
Location: Timestamp is always prefaced by pattern: MACUL(backslash)s+(backslash)S+(backslash)s
Backslash is the escape character. To insert a backslash you can either use two backslashes or enclose your text in backtics (`).
Try adding the following to the appropriate stanza of your props.conf file.
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = MACUL
TIME_FORMAT = %b%d %H:%M:%S
I'm glad you got it working. Please accept the answer to help others in future.
Hi!
Thanks for your help. It was very usefull in order to solve this issue.
As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:
Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s
Format: Timestamp format (strptime): %b%d %H:%M:%S
On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.,Hi!
Thanks for your help. It was very usefull in order to solve this issue.
As we reviewed, I had some problems but with this settings on the timestamp tab, it worked:
Location: Timestamp is always prefaced by pattern: MACUL\s+\S+\s
Format: Timestamp format (strptime): %b%d %H:%M:%S
On the preview sreen, it seems to not work well (the result was not OK), nevertheless I continued indexing and the result was different and it worked.
You may need to add a TZ
statement to your props file, but your problem appears to be more than that. I wonder if Splunk has a bug processing the %b
format string if it is not delimited.
Thanks for the answer, but unfortunately it seems not to be working as expected.
I click on the advanced mode (props.conf) tab and paste the stanza recieved. Bellow there is the result given for the timestamp:
9/25/01 4:51:20.000 PM
Did I do it correctly? I have read about editing the props.conf, but I haven't worked with this yet. I would apreciate you could tell me if I'm doing OK please.
Thanks!
Hi!
Thanks for the quick answer.
In relation to your questions, the time stamp is: "JUL14 00:00:00".
In fact, the event is multiline. They do not have the same format and line length (unfortunately). They do begin with the word "MACUL" in this log, but the following strings can vary.
The timestamp represents 14th July of the current year.
In addition, this logs come from a Huawei Softx300 softswitch.
Thanks a lot!
Is 'JUL14 00:00:00' the timestamp field? If so, does it represent 14th July of the current year or something else?
Hello. Can you tell us exactly which is the timestamp in the example? Is the event multiline exactly as shown? Do your events look all the same? (Same format, same line length, same begin string, ...)