Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hi, Want to extract timestamp for below log using props.conf . Any Suggestion

shinde0509
Explorer
‎06-15-2017 02:45 AM

2017-04-02 so-splunky.local 22:45:19.023 -0600 sshd[68061]: Accepted keyboard-interactive/pam for sowings from xx.xx.xx.xx port xx ssh2
2017-04-02 so-splunky.local 23:45:23.142 -0500 sshd[68608]: Accepted keyboard-interactive/pam for sowings from xx.xx.xx.xx port 36477 ssh2

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎06-15-2017 09:51 AM

Here is what I would use (Assming timeformat is YYYY-MM-DD, swap MM-DD in TIME_FORMAT if different)

props.conf on Heavy forwarder/Indexer (whichever comes first in the flow)

[yoursourcetypehere]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2}\s\w+)
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d so-splunky.local %H:%M:%S:%N %Z
MAX_TIMESTAMP_LOOKAHEAD = 46
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...