https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74909#M15307 <P>Thanks hazedav and gkanapathy. I went the FIELDS/DELIMS route and got the header extraction to work as well.</P> Wed, 06 Apr 2011 00:20:48 GMT dpatnam 2011-04-06T00:20:48Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74904#M15302 <P>Hello All,</P> <P>I am trying to import some of my Checkpoint firewall logs into Splunk. I tried to setup a sample input to index the text format of these logs, but am running into issues with the header and timestamp extraction -</P> <P>Here's a sample (pruned down) semi-colon separated input from the logs -</P> <PRE><CODE>num;date;time;orig;type 0;22Mar2011;0:55:11;0.0.0.0;control 1;21Mar2011;7:09:41;0.0.0.1;log </CODE></PRE> <P>Here are the entries in my props.conf to extract the timestamp and the header info for these logs - </P> <PRE><CODE>TIME_PREFIX = ^\d+; TIME_FORMAT = %DD%MMM%YYYY;%H:%M:%S SHOULD_LINEMERGE = false TZ=GMT CHECK_FOR_HEADER = true </CODE></PRE> <P>However, it looks like Splunk is only recognizing the time and the timezone configuration but it is setting the date to the current day (Apr 5th) and is also not extracting any of the headers for the events. Any help in figuring out where I am going wrong would be greatly appreciated.</P> <P>Thank you.</P> Tue, 05 Apr 2011 22:04:07 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74904#M15302 dpatnam 2011-04-05T22:04:07Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74905#M15303 <P>dpatnam,</P> <P>For TIME_FORMAT be sure to use strptime specifiers like so:</P> <PRE><CODE>TIME_FORMAT = %d%B%Y;%H:%M:%S </CODE></PRE> <P>See also: <A href="http://docs.python.org/library/time.html" rel="nofollow">http://docs.python.org/library/time.html</A></P> Tue, 05 Apr 2011 23:19:01 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74905#M15303 hazekamp 2011-04-05T23:19:01Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74906#M15304 <P>Thanks hazedav. Just a shortwhile before you posted the answers, I found another link that has all the time specifiers (<A href="http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html">http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html</A>)</P> <P>After referring to the specifiers in this link , I changed the TIME_FORMAT as shown below and am now able to extract the correct date as well. </P> <P>TIME_FORMAT = %d%b%Y;%H:%M:%S</P> <P>The only outstanding item for me now is the header extraction. I am still looking into this.</P> Tue, 05 Apr 2011 23:34:19 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74906#M15304 dpatnam 2011-04-05T23:34:19Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74907#M15305 <P>I would highly discourage CHECK_FOR_HEADER and recommend FIELDS/DELIMS</P> Mon, 28 Sep 2020 09:27:05 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74907#M15305 hazekamp 2020-09-28T09:27:05Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74908#M15306 <P>Agree with Dave. Do not use <CODE>CHECK_FOR_HEADER</CODE>, certainly not if your fields are known and fixed. Just specify the fields and delims manually.</P> Tue, 05 Apr 2011 23:50:31 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74908#M15306 gkanapathy 2011-04-05T23:50:31Z https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74909#M15307 <P>Thanks hazedav and gkanapathy. I went the FIELDS/DELIMS route and got the header extraction to work as well.</P> Wed, 06 Apr 2011 00:20:48 GMT https://community.splunk.com/t5/Getting-Data-In/Checkpoint-Firewall-Logs-in-Splunk/m-p/74909#M15307 dpatnam 2011-04-06T00:20:48Z