The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
Michael Wegener's Discussions
How to Configure timestamps for events with multiple timestamps
2 Replies
I followed the directions for configuring custom timestamps for events with multiple timestamps but I am not getting the result I am looking for. Here is my props.conf in my…Continue
Tags: configure, timestamps
Started this discussion. Last reply by Michael Wilde Jun 21, 2010.
Michael Wegener's Page
Gifts Received
Michael Wegener has not received any gifts yet
Latest Activity
Hagar replied to Michael Wegener's discussion How to Configure timestamps for events with multiple timestamps"Try without the TIME_FORMAT
leave only the TIME_PREFIX, my guess is that splunk will identified the format itself."
Michael Wegener posted a discussionHow to Configure timestamps for events with multiple timestamps
I followed the directions for configuring custom timestamps for events with multiple timestamps but I am not getting the result I am looking for. Here is my props.conf in my $Splunk_home$/etc/system/local/ folder: [host::foo.bar.com]TIME_PREFIX = \w+ \d+ \d\d:\d\d:\d\d foo.bar.com\s+TIME_FORMAT = %b %d %H:%M:%S %Y Here are a couple of entries that I am dealing with: Jun 14 08:18:20 foo.bar.com Mon Jun 14 08:16:25 2010: 123.123.123.12 -> 231.231.231.23: 43645 NOERR 'a.b.cdf.net.' AAAA IN…See More
Profile Information
- Are you an existing splunk user?
- Licensed
- What do you do for your day job?
- Learning to use Splunk
Comment Wall
- No comments yet!
© 2012 Created by Michael Wilde.
