<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Different timestamps from same source (udp syslog) and host in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Different-timestamps-from-same-source-udp-syslog-and-host/m-p/69513#M14115</link>
    <description>&lt;P&gt;I have a host that is sending syslog entries with a couple of different formats.  I have resolved how to roll multiline inputs into a single event, however, it has caused a problem with timestamp extraction on some subsequent events with a different format.  Here are some example inputs from the same host:&lt;/P&gt;

&lt;P&gt;Aug  5 14:09:57 1.2.3.4 Aug  5 14:03:26 hostname CSCOacs_TACACS_Accounting 0000053283 2 0 2011-08-05 14:03:26.411 -08:00 0000160939 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ACSVersion=acs-5.1.0.44-B.2347, ConfigVersionId=3, Device IP Address=4.3.2.1, RequestLatency=1, NetworkDeviceName=HOSTNAME_2911, Type=Accounting, Privilege-Level=1, Service=None, Authen-Method=NotSet, AVPair=task_id=1, AVPair=timezone=PST, AVPair=event=sys_acct, AVPair=reason=reload, AVPair=reload-reason=power-on, AVPair=ios-version=Cisco IOS Software\, C2900 Software (C2900-UNIVERSALK9-M)\, Version 15.0(1)M3\, RELEASE SOFTWARE (fc2)&lt;BR /&gt;
Technical Support: &lt;A href="http://www.cisco.com/techsupport" target="_blank"&gt;http://www.cisco.com/techsupport&lt;/A&gt;&lt;BR /&gt;
Copyright (c) 1986-2010 by Cisco Systems\, Inc.&lt;BR /&gt;
Compiled Thu 04-Aug-11 16:33 by mtillu, AcctRequest-Flags=Start, Service-Argument=system, AcsSessionID=ldbpcicacs/102307938/506, SelectedAccessService=Store_2911, Step=13006 , Step=15008 , Step=15006 , Step=15012 , Step=13035 , NetworkDeviceGroups=Location:All Locations:Store ISRs,&lt;/P&gt;

&lt;P&gt;I have used the following in \etc\system\local\props.conf&lt;/P&gt;

&lt;P&gt;[host::1.2.3.4]&lt;BR /&gt;
LINE_BREAKER = ([\r\n]+(?=\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|Compiled))&lt;BR /&gt;
SHOULD_LINEMERGE = false&lt;BR /&gt;
TIME_PREFIX = ^&lt;BR /&gt;
TIME_FORMAT = %h %e %H:%M:%S&lt;BR /&gt;
MAX_TIMESTAMP_LOOKAHEAD = 2&lt;/P&gt;

&lt;P&gt;This works, however, the time is no longer being extracted properly from the last event listed.  If I remove the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD, things seem to work.  However, those entries were recommended by Splunk Support and I wonder how necessary they are.  Is there a way to help with the extraction given the different formats or should I just leave the time related functions out of props.conf?&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 09:51:58 GMT</pubDate>
    <dc:creator>cbdick</dc:creator>
    <dc:date>2020-09-28T09:51:58Z</dc:date>
    <item>
      <title>Different timestamps from same source (udp syslog) and host</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Different-timestamps-from-same-source-udp-syslog-and-host/m-p/69513#M14115</link>
      <description>&lt;P&gt;I have a host that is sending syslog entries with a couple of different formats.  I have resolved how to roll multiline inputs into a single event, however, it has caused a problem with timestamp extraction on some subsequent events with a different format.  Here are some example inputs from the same host:&lt;/P&gt;

&lt;P&gt;Aug  5 14:09:57 1.2.3.4 Aug  5 14:03:26 hostname CSCOacs_TACACS_Accounting 0000053283 2 0 2011-08-05 14:03:26.411 -08:00 0000160939 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ACSVersion=acs-5.1.0.44-B.2347, ConfigVersionId=3, Device IP Address=4.3.2.1, RequestLatency=1, NetworkDeviceName=HOSTNAME_2911, Type=Accounting, Privilege-Level=1, Service=None, Authen-Method=NotSet, AVPair=task_id=1, AVPair=timezone=PST, AVPair=event=sys_acct, AVPair=reason=reload, AVPair=reload-reason=power-on, AVPair=ios-version=Cisco IOS Software\, C2900 Software (C2900-UNIVERSALK9-M)\, Version 15.0(1)M3\, RELEASE SOFTWARE (fc2)&lt;BR /&gt;
Technical Support: &lt;A href="http://www.cisco.com/techsupport" target="_blank"&gt;http://www.cisco.com/techsupport&lt;/A&gt;&lt;BR /&gt;
Copyright (c) 1986-2010 by Cisco Systems\, Inc.&lt;BR /&gt;
Compiled Thu 04-Aug-11 16:33 by mtillu, AcctRequest-Flags=Start, Service-Argument=system, AcsSessionID=ldbpcicacs/102307938/506, SelectedAccessService=Store_2911, Step=13006 , Step=15008 , Step=15006 , Step=15012 , Step=13035 , NetworkDeviceGroups=Location:All Locations:Store ISRs,&lt;/P&gt;

&lt;P&gt;I have used the following in \etc\system\local\props.conf&lt;/P&gt;

&lt;P&gt;[host::1.2.3.4]&lt;BR /&gt;
LINE_BREAKER = ([\r\n]+(?=\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}|Compiled))&lt;BR /&gt;
SHOULD_LINEMERGE = false&lt;BR /&gt;
TIME_PREFIX = ^&lt;BR /&gt;
TIME_FORMAT = %h %e %H:%M:%S&lt;BR /&gt;
MAX_TIMESTAMP_LOOKAHEAD = 2&lt;/P&gt;

&lt;P&gt;This works, however, the time is no longer being extracted properly from the last event listed.  If I remove the TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD, things seem to work.  However, those entries were recommended by Splunk Support and I wonder how necessary they are.  Is there a way to help with the extraction given the different formats or should I just leave the time related functions out of props.conf?&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 09:51:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Different-timestamps-from-same-source-udp-syslog-and-host/m-p/69513#M14115</guid>
      <dc:creator>cbdick</dc:creator>
      <dc:date>2020-09-28T09:51:58Z</dc:date>
    </item>
    <item>
      <title>Re: Different timestamps from same source (udp syslog) and host</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Different-timestamps-from-same-source-udp-syslog-and-host/m-p/69514#M14116</link>
      <description>&lt;P&gt;Got a response that handling multiple timestamp types can be done with a combination of the condition in the LINE_BREAKER and a TIME_FORMAT=\etc\system\local\custom_datetime.xml definition.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 09:52:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Different-timestamps-from-same-source-udp-syslog-and-host/m-p/69514#M14116</guid>
      <dc:creator>cbdick</dc:creator>
      <dc:date>2020-09-28T09:52:06Z</dc:date>
    </item>
  </channel>
</rss>

