Skip to main content

Event parsing for Splunk S2S events

This topic lists the supported patterns you can provide for Imply Lumi to identify timestamps within each event. The event parsing properties in this topic apply to events sent with the S2S protocol, used by the Splunk® TCP integration.

If you've already configured timestamp extraction in your Splunk heavy forwarder, find the settings in your props.conf file. See the Splunk documentation for more information.

info

Imply Lumi supports a subset of Splunk options to configure event timestamps. If your data isn't compatible—or can't be made compatible—with the available options, see the other approaches to send events to Imply Lumi.

Event timestamps

Imply Lumi supports the following properties for timestamp extraction.

These correspond to properties of the same name in a Splunk props.conf file. For more information, see the Splunk documentation for timestamp extraction configuration.

Max timestamp look ahead

Integer number that indicates the maximum character position to look for a timestamp. If you also set TIME_PREFIX, this position starts after the matched text.

  • Default: 128
  • Example: A value of 100 means that Imply Lumi will only search for the timestamp within the first 100 characters of the event.

Time format

String pattern in strptime format to extract timestamps.

  • Default: empty string
  • Example: %Y-%m-%d %H:%M:%S

Time prefix

String regular expression that matches the text pattern preceding the timestamp.

  • Default: empty string
  • Example: [\w:]*\s[\w-]\s[\w-]\s\[

Example

Consider an event with the following message:

830:1e0e:525:e6a0:6479:cd69:c364:23c3 - - [24/Mar/2025:16:25:29 ] "POST /products/23394 HTTP/1.1" 200 1027 "https://techcrunch.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:110.0) Gecko/20100101 Firefox/110.0"

The timestamp, 24/Mar/2025:16:25:29, appears after the client IP address, any identity provided for the client, and any provided user ID.

The following settings control how Imply Lumi parses this timestamp:

  1. Time prefix: [\w:]*\s[\w-]\s[\w-]\s\[
    Look for the timestamp following this prefix.
    Matches the string 830:1e0e:525:e6a0:6479:cd69:c364:23c3 - - [.

  2. Max timestamp look ahead: 20
    Look for the timestamp within the next 20 characters.
    Starts from 2, the position immediately following the prefix.
    Matches the value 24/Mar/2025:16:25:29.

  3. Time format: %d/%b/%Y:%H:%M:%S
    Format the discovered timestamp according to this pattern.

Learn more

For more information, see the following topics:

For information on Splunk TCP event processing, refer to the following documentation: