Documentation > Splunk > Admin Manual > Configure timestamp assignment for events with multiple timestamps

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Configure timestamp assignment for events with multiple timestamps

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Configure timestamp assignment for events with multiple timestamps

If an event contains more than one recognizable timestamp, you can tell Splunk to use a particular timestamp. This is especially useful when indexing events that contain syslog host-chaining data.

Configure positional timestamp extraction by editing props.conf.

Configure positional timestamp extraction in props.conf

Configure Splunk to recognize a timestamp anywhere in an event by adding TIME_PREFIX = and MAX_TIMESTAMP_LOOKAHEAD = keys to a [<spec>] stanza in props.conf. Set a value for MAX_TIMESTAMP_LOOKAHEAD = to tell Splunk how far into an event to look for the timestamp. Set a value for TIME_PREFIX = to tell Splunk what pattern of characters to look for to indicate the beginning of the timestamp.

Note: Use $SPLUNK_HOME/etc/system/README/props.conf.example as an example, or create your own props.conf. Make any configuration changes to a copy of props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

Example: If an event looks like: 

1989/12/31 16:00:00 ed May 23 15:40:21 2007 ERROR UserManager - Exception thrown Ignoring unsupported search for eventtype: /doc sourcetype="access_combined" NOT eventtypetag=bot

To identify the timestamp: May 23 15:40:21 2007

Configure props.conf: 

[source::/Applications/splunk/var/spool/splunk]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s 
MAX_TIMESTAMP_LOOKAHEAD = 44

Note: Optimize the speed of timestamp extraction by setting the value of MAX_TIMESTAMP_LOOKAHEAD = to look only as far into an event as needed for the timestamp you want to extract. In this example MAX_TIMESTAMP_LOOKAHEAD = is optimized to look 44 characters into the event .

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/ConfigurePositionalTimestampExtraction"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!