https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20885#M8444 <P>only for search time field extractions, which I don't think is what is intended here:</P> <P>FORMAT for search-time extractions:<BR /> * The format of this field as used during search time extractions is as follows:<BR /> * FORMAT = <FIELD-NAME>::<FIELD-VALUE>( <FIELD-NAME>::<FIELD-VALUE>)* <BR /> * where:<BR /> * field-name = [<STRING>|$<EXTRACTING-GROUP-NUMBER>]<BR /> * field-value = [<STRING>|$<EXTRACTING-GROUP-NUMBER>]<BR /> * Search-time extraction examples:<BR /> * 1. FORMAT = first::$1 second::$2 third::other-value<BR /> * 2. FORMAT = $1::$2</EXTRACTING-GROUP-NUMBER></STRING></EXTRACTING-GROUP-NUMBER></STRING></FIELD-VALUE></FIELD-NAME></FIELD-VALUE></FIELD-NAME></P> Mon, 30 Jul 2012 19:04:33 GMT jbsplunk 2012-07-30T19:04:33Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20878#M8437 <P>Hi,</P> <P>I am trying to use a different timestamp located in the event data. This is a UDP input on a forwarder which I have first created a new sourcetype.</P> <P><STRONG>props</STRONG></P> <PRE><CODE>[source::udp:514] TRANSFORMS-changesource = new_sourcetype </CODE></PRE> <P><STRONG>transforms</STRONG></P> <PRE><CODE>[new_sourcetype] DEST_KEY = MetaData:Sourcetype REGEX = mydata FORMAT = sourcetype::newsourcetype </CODE></PRE> <P>Then on my indexer splunk is automatically appending the date + host to my events coming from UDP, this can be stopped by using "no_appending_timestamp = true" under the input and this actually causes splunk to see the correct date from the raw data.</P> <P>I believe you cannot apply timestamp changes to sourcetypes that have been generated in a transform?</P> <P>I have tried the following on the indexer but with no luck:</P> <P><STRONG>props</STRONG></P> <PRE><CODE>[host::192.168.1.1] MAX_TIMESTAMP_LOOKAHEAD = 30 TIME_FORMAT = %b %d %H:%M:%S.%6N </CODE></PRE> <P><STRONG>Example data coming in via syslog-ng</STRONG></P> <PRE><CODE>Jul 30 12:57:02.68787 host1 testdaemon: DEBUG Starting daemon </CODE></PRE> <P><STRONG>This gets indexed</STRONG></P> <PRE><CODE>Jul 30 12:57:02 192.168.1.1 Jul 30 12:57:02.687871 host1 testdaemon: DEBUG Starting daemon </CODE></PRE> <P>Help would be appreciated as I have rattled my brain for hours now! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 28 Sep 2020 12:10:01 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20878#M8437 matthewparry 2020-09-28T12:10:01Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20879#M8438 <P>You're trying to use the syslog-ng stamp at the beginning of the line, or the device's native stamp starting after its IP address?</P> Mon, 30 Jul 2012 12:31:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20879#M8438 sowings 2012-07-30T12:31:35Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20880#M8439 <P>No. once the sourcetype has been changed then it will have passed the index time parsing.<BR /> What you want to do is apply the timestamp stripping from the syslog message first and then change the sourcetype, e.g;</P> <PRE><CODE>[source::udp:514] TRANSFORMS-stripts = strip_timestamp TRANSFORMS-changesource = new_sourcetype </CODE></PRE> <P>You could still do it on a per host basis though, there may be another way to wriggle it round but this is the way I've ended up doing it on my implementations</P> Mon, 30 Jul 2012 12:59:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20880#M8439 Drainy 2012-07-30T12:59:42Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20881#M8440 <P>I am trying to use the time from syslog-ng "Jul 30 12:57:02.687871" as the event time.</P> Mon, 30 Jul 2012 13:28:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20881#M8440 matthewparry 2012-07-30T13:28:13Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20882#M8441 <P>I have a heavy forwarder that receives the UDP syslog data which then forwards this to the indexer.<BR /> For some reason when trying to create the source type, this needs to be on the forwarder? and the timestamp changes need to be done on the indexer?</P> <P>This means it will never execute in the correct order?</P> Mon, 30 Jul 2012 13:40:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20882#M8441 matthewparry 2012-07-30T13:40:47Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20883#M8442 <P>On your heavy forwarder, you've made some mistakes. </P> <P>For props.conf, I would add TIME_PREFIX with a regex to match the data that comes before the timestamp you want to extract</P> <P>[host::192.168.1.1]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 30<BR /> TIME_PREFIX = REGEX<BR /> TIME_FORMAT = %b %d %H:%M:%S.%6N</P> <P>This transform is incorrect: </P> <P>FORMAT = sourcetype::newsourcetype </P> <P>What you should be doing looks like this:</P> <P>[new_sourcetype]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = mydata<BR /> FORMAT = newsourcetype</P> Mon, 28 Sep 2020 12:10:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20883#M8442 jbsplunk 2020-09-28T12:10:10Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20884#M8443 <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">This document</A> suggests that the "sourcetype::" is in fact needed.</P> Mon, 30 Jul 2012 18:44:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20884#M8443 sowings 2012-07-30T18:44:00Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20885#M8444 <P>only for search time field extractions, which I don't think is what is intended here:</P> <P>FORMAT for search-time extractions:<BR /> * The format of this field as used during search time extractions is as follows:<BR /> * FORMAT = <FIELD-NAME>::<FIELD-VALUE>( <FIELD-NAME>::<FIELD-VALUE>)* <BR /> * where:<BR /> * field-name = [<STRING>|$<EXTRACTING-GROUP-NUMBER>]<BR /> * field-value = [<STRING>|$<EXTRACTING-GROUP-NUMBER>]<BR /> * Search-time extraction examples:<BR /> * 1. FORMAT = first::$1 second::$2 third::other-value<BR /> * 2. FORMAT = $1::$2</EXTRACTING-GROUP-NUMBER></STRING></EXTRACTING-GROUP-NUMBER></STRING></FIELD-VALUE></FIELD-NAME></FIELD-VALUE></FIELD-NAME></P> Mon, 30 Jul 2012 19:04:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20885#M8444 jbsplunk 2012-07-30T19:04:33Z https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20886#M8445 <P>I am actually using:</P> <P>[host::192.168.1.1]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 30<BR /> TIME_PREFIX = .+(?=\w{3} \d{2} \d{2}:\d{2}:\d{2}.\d{6}) <BR /> TIME_FORMAT = %b %d %H:%M:%S.%6N</P> <P>This has worked. I am unable to get it too work by substituting the [host::192.168.1.1] for a sourcetype but I believe this is due to the fact I am using a transform to generate a new sourcetype and the timestamps need to come before any transforms..</P> Mon, 28 Sep 2020 12:10:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/TIME-FORMAT-UDP-Input-Fail/m-p/20886#M8445 matthewparry 2020-09-28T12:10:26Z