How to reformat timestamp in SYSLOG _raw

dokaas_2 — Tue, 11 Jul 2023 18:37:14 GMT

SYSLOG often sends the timestamp in the older format (e.g. Jul 11 14:23:32). Unfortunately, that format does not have a year or timezone. I know that Splunk has logic to 'figure' it out, but I need to have it reformatted to the following:

YYYY-MM-DDTHH:mm:ss<GMT offset>

Is there a way to accomplish this with INGEST_EVAL or other method? If so how is it done? This should change the _raw event(that is, this is not a search time question). Kind of like a mask.

Re: How to reformat timestamp in SYSLOG _raw

gcusello — Wed, 12 Jul 2023 06:36:01 GMT

Hi @dokaas_2,

I know two solutions:

a pre-parsing script that reformat your logs before Splunk ingest them.

the SEDCMD command.

ciao.

Giuseppe

topic How to reformat timestamp in SYSLOG _raw in Getting Data In

How to reformat timestamp in SYSLOG _raw

Re: How to reformat timestamp in SYSLOG _raw