time_prefix question

danielsimpkins · ‎03-06-2013

i've got a CSV file that has a date that isn't at the start of the line, im trying to get splunk to look for the date but can't get it to work...

Here's a small bit of the data in the CSV file (it's a CSV from the BOM):

IDCJAC0010,086071,2013,02,27,27.6,1,N
IDCJAC0010,086071,2013,02,28,21.4,1,N
IDCJAC0010,086071,2013,03,01,25.1,1,N
IDCJAC0010,086071,2013,03,02,26.9,1,N
IDCJAC0010,086071,2013,03,03,29.1,1,N
IDCJAC0010,086071,2013,03,04,32.7,1,N

The date begins at "2013" (for year), then "03" (month) and then "04" (date).

i've tried using the props thingy to tell splunk where the date is:

# your settings
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_PREFIX=\{d10},{d6},

i've tried

TIME_PREFIX=\{d6},

or no time prefix and just

TIME_FORMAT=%Y,%m,%d

and

TIME_PREFIX=IDCJAC0010,\d{6},

and

TIME_PREFIX=\{d10},\{d6},

and some other variations which i've now forgotten.

Anyone got any ideas for me? Im sure it's something simple i've missed...

DS

jonuwz · ‎03-07-2013

props.conf should look like this

[funnydate]
TIME_PREFIX=^\w{10},\d{6},
TIME_FORMAT=%Y,%m,%d

where funnydate is your sourcetype

Few things to consider

This should have worked : TIME_PREFIX=IDCJAC0010,\d{6}, so maybe the stanza [funnydate] in props.conf is wrong and not applying the conf - can you post the whole section from props.conf and inputs.conf ?

You cannot define time_prefix and time_format on a universal forwarder - this needs to be done on an indexer / heavy forwarder

jonuwz · ‎03-06-2013

When you say {d10} and {d6} you actually mean d{10} and d{6} yeah ?

time_prefix question

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?