Configure timestamp extraction for events with more than one timestamp

Configure timestamp extraction for events with more than one timestamp

If an event contains more than one recognizable timestamp, you can tell Splunk to use a particular timestamp. This is especially useful when indexing events that contain syslog host-chaining data.

Configure positional timestamp extraction by editing props.conf.

Configure positional timestamp extraction in props.conf

Configure Splunk to recognize a timestamp anywhere in an event by adding TIME_PREFIX = and MAX_TIMESTAMP_LOOKAHEAD = keys to a [<spec>] stanza in props.conf. Set a value for MAX_TIMESTAMP_LOOKAHEAD = to tell Splunk how far into an event to look for the timestamp. Set a value for TIME_PREFIX = to tell Splunk what pattern of characters to look for to indicate the beginning of the timestamp.

Note: Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

Example: If an event looks like:

1989/12/31 16:00:00 ed May 23 15:40:21 2007 ERROR UserManager - Exception thrown Ignoring unsupported search for eventtype: /doc sourcetype="access_combined" NOT eventtypetag=bot

To identify the timestamp: May 23 15:40:21 2007

Configure props.conf:

[source::/Applications/splunk/var/spool/splunk]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s 
MAX_TIMESTAMP_LOOKAHEAD = 44

Note: Optimize the speed of timestamp extraction by setting the value of MAX_TIMESTAMP_LOOKAHEAD = to look only as far into an event as needed for the timestamp you want to extract. In this example MAX_TIMESTAMP_LOOKAHEAD = is optimized to look 44 characters into the event .

• Was this topic useful?
• Post a comment