need help in writing time prefix and time format

saifuddin9122 · ‎05-23-2017

Hello All

i have events like this:

hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000**2017MAY22*09:40:13*
Is PMD Using All CPU cores: Yes
hn:keng01-dev01-ins01-rpt31.int.dev.mykronos.com|pid:3161|prod:iHub|****4145194752*licensekey.cpp*01640*07000*2017MAY22*09:40:13
Is PMD Using All CPU cores: Yes

Can any one help me in writing time prefix and time format for the above events.

Thanks in advance

woodcock · ‎05-23-2017

Like this in props.conf:

TIME_PREFIX = ([^\|]*\|){3}(\D+\d+){3}\D+
TIME_FORMAT = %Y%B%d*%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 18

Deploy to your Indexers, restart all Splunk instances there and then verify by checking ONLY events that have been forwarded after the restarts.

skoelpin · ‎05-23-2017

Try this

TIME_FORMAT = %Y%B%d*%I:%M:%S
TIME_PREFIX = \d{4}\w+\d{2}\*\d{2}:\d{2}:\d{2}

saifuddin9122 · ‎05-23-2017

sorry it didn't worked

skoelpin · ‎05-23-2017

Which part didn't work and how are you testing this?

saifuddin9122 · ‎05-23-2017

TIME_PREFIX = \d{4}\w+\d{2}*\d{2}:\d{2}:\d{2}

i'm testing it from add data inputs, when i do it i am seeing timestamp as none

FloSwiip · ‎05-23-2017

TIME_FORMAT=%Y%B%d*%I:%M:%S
TIME_PREFIX=.*licensekey\.cpp\*\d+\*\d+\*
MAX_TIMESTAMP_LOOKAHEAD=128

works on this sample

need help in writing time prefix and time format

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel