Skip to main content

Event parsing for S2S events

This topic lists the supported patterns you can provide for Imply Lumi to identify timestamps within each event. The event parsing properties in this topic apply to events sent with the Splunk®-to-Splunk (S2S) protocol, used by the S2S integration.

If you've already configured timestamp extraction in your Splunk heavy forwarder, find the settings in your props.conf file. See the Splunk documentation for more information.

info

Lumi supports a subset of Splunk options to configure event timestamps. If your data isn't compatible—or can't be made compatible—with the available options, see the other approaches to send events to Lumi.

Event timestamps

Lumi supports the following properties for timestamp extraction.

These correspond to properties of the same name in a Splunk props.conf file. For more information, see the Splunk documentation for timestamp extraction configuration.

Time prefix

String regular expression that matches the text pattern preceding the timestamp.

  • Default: empty string
  • Example: [\w\.:]*\s[\w-]*\s[\w-]*\s\[
  • Splunk configuration: TIME_PREFIX

Max timestamp lookahead

Integer number that indicates the maximum character position to look for a timestamp. If you also set the time prefix, this position starts after the matched text.

  • Default: 128
  • Example: A value of 100 means that Lumi searches for the timestamp within the first 100 characters of the event.
  • Splunk configuration: MAX_TIMESTAMP_LOOKAHEAD

Time format

String pattern in strptime format to extract timestamps.

  • Default: empty string
  • Example: %Y-%m-%d %H:%M:%S
  • Splunk configuration: TIME_FORMAT

Example

Consider an event with the following message:

830:1e0e:525:e6a0:6479:cd69:c364:23c3 - - [24/Mar/2025:16:25:29 -0500] "POST /products/23394 HTTP/1.1" 200 1027 "https://techcrunch.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:110.0) Gecko/20100101 Firefox/110.0"

The timestamp, 24/Mar/2025:16:25:29 -0500, appears after the client IP address, any identity provided for the client, and any provided user ID.

The following settings control how Lumi parses this timestamp:

  1. Time prefix: [\w\.:]*\s[\w-]*\s[\w-]*\s\[
    Look for the timestamp following this regular expression pattern:

    • [\w\.:]* to match zero or more word characters, periods, or colons
    • \s to match a single space
    • [\w-]* to match zero or more word characters or hyphens
    • \s to match a single space
    • \[ to match a open square bracket

    Matches the string 830:1e0e:525:e6a0:6479:cd69:c364:23c3 - - [.

  2. Max timestamp lookahead: 20
    Look for the timestamp within the next 20 characters.
    Starts from 2, the position immediately following the prefix.
    Matches the value 24/Mar/2025:16:25:29.

  3. Time format: %d/%b/%Y:%H:%M:%S
    Format the discovered timestamp according to this pattern.

Learn more

For more information, see the following topics:

For information on Splunk TCP event processing, refer to the following documentation: