topic Re: Parse Log Messages in Security

Parse Log Messages

mspiegel — Sat, 02 Oct 2010 05:04:22 GMT

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

Re: Parse Log Messages

southeringtonp — Sat, 02 Oct 2010 05:13:10 GMT

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

Re: Parse Log Messages

mspiegel — Tue, 05 Oct 2010 05:12:53 GMT

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

Re: Parse Log Messages

southeringtonp — Tue, 05 Oct 2010 08:25:06 GMT

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps