topic Re: extract time with sc4s in Splunk Enterprise

extract time with sc4s

anissabnk — Wed, 29 Apr 2026 15:25:50 GMT

Hello,

I hope you are well. I’m having some issues with log parsing on the rsyslog side.
Let me explain: I’m working with three machines:

- Linux sources (where I store the files to be read)
- SC4S
- Splunk machine

- TA-postfix

SC4S :

I'm working with this configuration file, which allows me to define the index and the source type

logos-postfix-parser.conf : /opt/sc4s/local/config/app_parsers/syslog

# the block parser is where the "parsing" of the event happens and enrichment of meta data

# sample: <111> Mar 24 10:45:00 osnixexample: this is a test

block parser logos-postfix-rie-parser() {

channel {

rewrite {

r_set_splunk_dest_default(

index("idx_messagerie_rie")

sourcetype("st_postfix")

vendor("postfix")

product("logos")

);

};

block parser logos-postfix-interne-parser() {

channel {

rewrite {

r_set_splunk_dest_default(

index("idx_messagerie_relaisinterne")

sourcetype("st_postfix")

vendor("postfix")

product("logos")

);

};

block parser logos-postfix-externe-parser() {

channel {

rewrite {

r_set_splunk_dest_default(

index("idx_messagerie_relaisexterne") # Index cible

sourcetype("st_postfix") # Sourcetype personnalisé

vendor("postfix")

product("logos")

);

};

block parser logos-postfix-externe-cle-parser() {

channel {

rewrite {

r_set_splunk_dest_default(

index("idx_messagerie_relaisexterne_cle") # Index cible

sourcetype("st_postfix") # Sourcetype personnalisé

vendor("postfix")

product("logos")

);

};

application logos-postfix-rie[sc4s-syslog] {

filter {

#program('f_rie' type(string) flags(prefix));

program('RIE' type(string) flags(prefix));

};

parser {

logos-postfix-rie-parser();

};

application logos-postfix-interne[sc4s-syslog] {

filter {

program('INTERNE' type(string) flags(prefix));

#program('f_interne' type(string) flags(prefix));

};

parser {

logos-postfix-interne-parser();

};

application logos-postfix-externe[sc4s-syslog] {

filter {

program('EXTERNE' type(string) flags(prefix)); # <-- Filtre sur le tag

#program('f_externe' type(string) flags(prefix));

};

parser {

logos-postfix-externe-parser(); # <-- Utilise le parser dédié

};

application logos-postfix-externe-cle[sc4s-syslog] {

filter {

program('CLE' type(string) flags(prefix)); # <-- Filtre sur le tag

#program('f_externe' type(string) flags(prefix));

};

parser {

logos-postfix-externe-cle-parser(); # <-- Utilise le parser dédié

};

LINUX sources :

rsyslog.conf : /etc/rsyslog.conf

I managed to retrieve my data in Splunk, except that the tag appears at the start of the log like this; I found a way to remove it via the props.conf file on my TA:

# (EXTERNE, INTERNE, RIE, CLE)SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+//

So, great, the tag has been removed, but the parsing isn’t working for the timestamp.
The _time isn’t being parsed correctly; no matter how I modify props.conf, it doesn’t work. In terms of priority, _time is parsed before SDCMD.
So I tried treating the tag as if it were still there in order to parse the _time.

# Note: Extending Splunk default settings (See $SPLUNK_HOME/etc/system/default/props.conf
pulldown_type = 0

# Ignore le tag (EXTERNE/INTERNE/RIE/CLE) et pointe sur le timestamp
TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+

# Format du timestamp : "Apr 28 10:45:00"
TIME_FORMAT = %b %d %H:%M:%S

# Augmente la fenêtre de recherche pour inclure le timestamp + nom d'hôte
MAX_TIMESTAMP_LOOKAHEAD = 25

# Désactive la fusion de lignes
SHOULD_LINEMERGE = false

# Extract the subject if enabled in Postfix's configuration
REPORT-subject = postfix_subject
# Extract to/from/message-id/helo (without the '<>'s)
REPORT-angle_brackets = postfix_angle_brackets

I get the feeling the problem lies with sc4s, and that I might need to add something to rsyslog.conf, but I’m not sure how to go about it.

Can you help me?

Re: extract time with sc4s

livehybrid — Wed, 29 Apr 2026 19:55:46 GMT

Hi @anissabnk

If you are using SC4S then you'll be sending the data to Splunk HEC, depending on the endpoint this may be as a parsed event rather than a raw event, in which case the timestamp extraction wont happen because it doesnt hit that pipeline, however...you could try adding this to your props/transforms:

# props.conf [yourSourcetype] TRANSFORMS-getCorrectSC4STime = getCorrectSC4STime # transforms [getCorrectSC4STime] INGEST_EVAL = _time=strptime(_raw,"%B %d %H:%M:%S")

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: extract time with sc4s

anissabnk — Thu, 30 Apr 2026 08:20:03 GMT

Hello @livehybrid , I tried what you propose but unfortunately, it doesn't work :

That's what I did, on my .conf files :

props.conf :

# KSCONF-NO-SORT

[st_postfix]

# Note: Extending Splunk default settings (See $SPLUNK_HOME/etc/system/default/props.conf
pulldown_type = 0

# Ignore le tag (EXTERNE/INTERNE/RIE/CLE) et pointe sur le timestamp
TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+

# Format du timestamp : "Apr 28 10:45:00"
TIME_FORMAT = %b %d %H:%M:%S

# Augmente la fenêtre de recherche pour inclure le timestamp + nom d'hôte
MAX_TIMESTAMP_LOOKAHEAD = 25

# Désactive la fusion de lignes
SHOULD_LINEMERGE = false

# Extract the subject if enabled in Postfix's configuration
REPORT-subject = postfix_subject
# Extract to/from/message-id/helo (without the '<>'s)
REPORT-angle_brackets = postfix_angle_brackets

EXTRACT-queue_id = postfix/[\w/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):
EXTRACT-bounce = postfix/bounce\[\d+\]: [a-fA-F0-9]{6,20}: (?<bounce_reason>[^:]+): (?<bounce_queue_id>[a-fA-F0-9]{6,20})$
EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?<status>reject):
EXTRACT-reason = status=[^\s]+\s+$(?<reason>.*)$$
EXTRACT-reject_reason = : (?<reject_reason>[^;:]+);
EXTRACT-dest = relay=(?<dest_host>[^\[ ,]+)\[(?<dest_ip>[^: \]]+)\](?::(?<dest_port>\d+))?
EXTRACT-remote_queue = queued as (?<xref>[A-Fa-f0-9]+) in reason
EXTRACT-status_code = status=\w+ \((?:host \S+ said:\s*)?(?<status_code_short>\d+)
EXTRACT-src-connect = (?:dis)?connect(?:ion after (?:HELO|CONNECT))? from (?:(?<src_host>[^\[]+)\[(?<src_ip>[\d.]+)|(?<src>.*))
# Extration of the different delays (cf. http://logreporters.sourceforge.net/faq.html#percentiles)
EXTRACT-delays = ^(?<time_before_queue>[^/]+)/(?<time_in_queue>[^/]+)/(?<time_connecting>[^/]+)/(?<time_transmitting>[^$]+)$ in delays

# Rename fields for CIM compliance with the Email data model
FIELDALIAS-status_code = dsn as status_code
#FIELDALIAS-status_code = status_code_short as status_code
FIELDALIAS-protocol = proto as protocol
FIELDALIAS-filter_action = reject_reason as filter_action
FIELDALIAS-internal_message_id = queue_id AS internal_message_id
FIELDALIAS-process_id = pid AS process_id
FIELDALIAS-src_user = from as src_user
FIELDALIAS-recipient = to as recipient
FIELDALIAS-orig_recipient = orig_to as orig_recipient
FIELDALIAS-recipient_count = nrcpt as recipient_count

# Don't extract 'src_host' if "unknown" (typical with reverse DNS disabled)
EVAL-src=coalesce(src, nullif(src_host, "unknown"), src_ip)
# FIELDALIAS-src=src_host AS src, src_ip AS src
EVAL-dest = coalesce(dest, nullif(dest_host, "unknown"), dest_ip)

LOOKUP-consts = postfix_consts sourcetype OUTPUT protocol, vendor, product
LOOKUP-actions = postfix_actions status OUTPUT action

# Email CIM requires the delay field to be in milliseconds
EVAL-delay = delay*1000

# Suppression des tags injectés par rsyslog (EXTERNE, INTERNE, RIE, CLE)
SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+//

#Extraction du _time
TRANSFORMS-getCorrectSC4STime = getCorrectSC4STime

transforms.conf :

# KSCONF-NO-SORT

[postfix_angle_brackets]
# Strip out the '<' or '>' from the value of the postfix log messages.
# Examples:
# to=<jdoe@aol.com>
# from=<bob@example.com>
# message-id=<20360611180017.4944318FE39@webapp.example.com>
# helo=<localhost.localdomain>
REGEX = [ ](to|from|message-id|helo)=<([^<> ]+)>
FORMAT = $1::$2

[postfix_subject]
# Logging the subject header requires changes to postfix config (disabled by default)
# main.cf: header_checks = regexp:/etc/postfix/header_checks
# header_checks: /^subject:/ WARN
# Example event:
# Nov 4 10:57:01 localhost postfix/cleanup[22492]: 2290326720: warning: header subject: test email from localhost[127.0.0.1]; from= to= proto=SMTP helo=
REGEX = header [Ss]ubject: (?<subject>.+?) from [^;]+;

# Lookups

[postfix_consts]
# Constant fields applied uniformly to ALL events
# Note: More efficient than using an 'EVAL-*' for these fields.
filename = postfix_consts.csv

[postfix_actions]
# Convert Postfix's 'status' messages into CIM 'actions' (as best as possible)
filename = postfix_actions.csv

#Extraction du _time
[getCorrectSC4STime]
INGEST_EVAL = _time=strptime(_raw,"%B %d %H:%M:%S")

Re: extract time with sc4s

inventsekar — Thu, 30 Apr 2026 10:11:08 GMT

Hi @anissabnk

may i know, after updating @livehybrid 's props and transforms, did you restart the Splunk Service

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
----------------------------------------------------------------------------------------------

Re: extract time with sc4s

anissabnk — Thu, 30 Apr 2026 12:16:15 GMT

Yes, of course, I restarted splunk, but it doesn't work.

Re: extract time with sc4s

inventsekar — Thu, 30 Apr 2026 13:50:33 GMT

Ok Sure @anissabnk

Next, lets check what props and transforms are being applied.

Could you pls try:

splunk btool props list <sourcetype> --debug
splunk btool transforms list <transform_name> --debug

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
--------------------------------------------------------------------------------------------

Re: extract time with sc4s

anissabnk — Mon, 04 May 2026 14:34:24 GMT

Hello,
For the sourcetype, that's what I obtain :

[splunk@splunk ~]$ /opt/splunk/bin/splunk btool props list st_postfix --debug
/opt/splunk/etc/apps/TA-postfix/local/props.conf [st_postfix]
/opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-delay = delay*1000
/opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-dest = coalesce(dest, nullif(dest_host, "unknown"), dest_ip)
/opt/splunk/etc/apps/TA-postfix/local/props.conf EVAL-src=coalesce(src, nullif(src_host, "unknown"), src_ip)
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-bounce = postfix/bounce\[\d+\]: [a-fA-F0-9]{6,20}: (?<bounce_reason>[^:]+): (?<bounce_queue_id>[a-fA-F0-9]{6,20})$
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-delays = ^(?<time_before_queue>[^/]+)/(?<time_in_queue>[^/]+)/(?<time_connecting>[^/]+)/(?<time_transmitting>[^$]+)$ in delays
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-dest = relay=(?<dest_host>[^\[ ,]+)\[(?<dest_ip>[^: \]]+)\](?::(?<dest_port>\d+))?
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-queue_id = postfix/[\w/]+\[\d+\]:\s+(?<queue_id>[A-Fa-f0-9]{6,20}):
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-reason = status=[^\s]+\s+$(?<reason>.*)$$
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-reject_reason = : (?<reject_reason>[^;:]+);
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-remote_queue = queued as (?<xref>[A-Fa-f0-9]+) in reason
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-src-connect = (?:dis)?connect(?:ion after (?:HELO|CONNECT))? from (?:(?<src_host>[^\[]+)\[(?<src_ip>[\d.]+)|(?<src>.*))
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-status_code = status=\w+ \((?:host \S+ said:\s*)?(?<status_code_short>\d+)
/opt/splunk/etc/apps/TA-postfix/local/props.conf EXTRACT-status_reject = postfix/smtpd\[\d+\]: (?:NOQUEUE|[A-Fa-f0-9]{6,20}): (?<status>reject):
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-filter_action = reject_reason as filter_action
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-internal_message_id = queue_id AS internal_message_id
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-orig_recipient = orig_to as orig_recipient
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-process_id = pid AS process_id
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-protocol = proto as protocol
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-recipient = to as recipient
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-recipient_count = nrcpt as recipient_count
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-src_user = from as src_user
/opt/splunk/etc/apps/TA-postfix/local/props.conf FIELDALIAS-status_code = dsn as status_code
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/apps/TA-postfix/local/props.conf LOOKUP-actions = postfix_actions status OUTPUT action
/opt/splunk/etc/apps/TA-postfix/local/props.conf LOOKUP-consts = postfix_consts sourcetype OUTPUT protocol, vendor, product
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_EXPECTED_EVENT_LINES = 7
/opt/splunk/etc/apps/TA-postfix/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 25
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/apps/TA-postfix/local/props.conf REPORT-angle_brackets = postfix_angle_brackets
/opt/splunk/etc/apps/TA-postfix/local/props.conf REPORT-subject = postfix_subject
/opt/splunk/etc/apps/TA-postfix/local/props.conf SEDCMD-remove_tag = s/^(EXTERNE|INTERNE|RIE|CLE)\s+//
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/apps/TA-postfix/local/props.conf SHOULD_LINEMERGE = false
/opt/splunk/etc/apps/TA-postfix/local/props.conf TIME_FORMAT = %b %d %H:%M:%S
/opt/splunk/etc/apps/TA-postfix/local/props.conf TIME_PREFIX = ^(?:EXTERNE|INTERNE|RIE|CLE)\s+
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/apps/TA-postfix/local/props.conf pulldown_type = 0
/opt/splunk/etc/system/default/props.conf sourcetype =
/opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf unarchive_cmd_start_mode = shell