Configure positional timestamp extraction

Configure positional timestamp extraction

Set Splunk to use a particular timestamp if an event contains more than one recognizable timestamp. This is especially useful when indexing events that contain syslog host-chaining data.

Configure positional timestamp extraction by editing props.conf.

Configure positional timestamp extraction in props.conf

Note: Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Configure Splunk to recognize a timestamp anywhere in an event by adding TIME_PREFIX = and MAX_TIMESTAMP_LOOKAHEAD = keys to a [<spec>] stanza in props.conf. Set a value for MAX_TIMESTAMP_LOOKAHEAD = to tell Splunk how far into an event to look for the timestamp. Set a value for TIME_PREFIX = to tell Splunk what pattern of characters to look for to indicate the beginning of the timestamp.

Example:

If an event looks like:

1989/12/31 16:00:00 ed May 23 15:40:21 2007 ERROR UserManager - Exception thrown Ignoring unsupported search for eventtype: /doc sourcetype="access_combined" NOT eventtypetag=bot

To identify the timestamp: May 23 15:40:21 2007

Configure props.conf:

[source::/Applications/splunk/var/spool/splunk]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s 
MAX_TIMESTAMP_LOOKAHEAD = 44

Note: Optimize the speed of timestamp extraction by setting the value of MAX_TIMESTAMP_LOOKAHEAD = to look only as far into an event as needed for the timestamp you want to extract. In this example MAX_TIMESTAMP_LOOKAHEAD = is optimized to look 44 characters into the event .

• Was this topic useful?
• Post a comment