topic Re: Why is the Symantec time_format not working? in Getting Data In

Why is the Symantec time_format not working?

pfabrizi — Fri, 02 Mar 2018 12:21:57 GMT

I am trying to set the time format from our Symantec events to the value of 'occurred_on' in my props.conf.

here is the event string:
",occurred_on="March 2, 2018 6:50:14 AM",

here is how time is displayed:
3/2/18
6:50:27.000 AM

Here is my props.conf:

[symantec]

TIME_PREFIX = occurred_on=\"([A-Za-z]+\s\d{1,2},\s\d{4}\s\d{1,2}:\d{1,2}:\d{1,2})
TIME_FORMAT = %B %d, %Y %H:%M:%S

I changed the time_prefix last night to what it was. I did have it earlier as [A-Za-z\s,0-9:]+

each of these expressions worked in regex101, I changed to what it is now because I only wanted to grab the time minus the am\pm.

I have deployed and also restarted splunk on my devices.

any thought on what I am doing wrong or even how to debug these.

Thanks!

Re: Why is the Symantec time_format not working?

richgalloway — Fri, 02 Mar 2018 18:20:08 GMT

The TIME_PREFIX attribute should contain a regular expression describing what comes before the timestamp. In your case it should be TIME_PREFIX = occurred_on=\".
Your TIME_FORMAT setting doesn't quite match your sample event. Try %B %d, %Y %H:%M:%S %p. If you leave out the "%p", Splunk will interpret "6:50:27 AM" and "6:50:27 PM" as 06:50:27, which probably is not what you want.

Re: Why is the Symantec time_format not working?

pfabrizi — Fri, 02 Mar 2018 19:36:28 GMT

can you explain what the %Y:%M:%S is?

I thought %M and %S where minutes and seconds?

What about the hour?

Thanks!

Re: Why is the Symantec time_format not working?

pfabrizi — Fri, 02 Mar 2018 20:30:01 GMT

this is not working.

I am still seeing the time off,

occurred_on="March 2, 2018 3:22:10 PM"
is showing as 3:22:16 000 PM

so there is a 6+ second difference.

the text occurred_on starts at position 1165 and ends around 1204. Does this create an issue?

Re: Why is the Symantec time_format not working?

richgalloway — Sat, 03 Mar 2018 20:28:30 GMT

Sorry, I did leave out the hour. I've corrected my answer.

Re: Why is the Symantec time_format not working?

gjanders — Sun, 04 Mar 2018 00:35:29 GMT

As per the date and time format variable documentation , I think your TIME_FORMAT is close but not quite right!

Try:

TIME_FORMAT = %B %e, %Y %I:%M:%S %p

I'm not 100% sure that is correct but I think it's closer...your splunkd log files should inform you if the timestamp parsing is not working as expected

From the documentation:
%e "Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31) "
%I "Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. "

Re: Why is the Symantec time_format not working?

pfabrizi — Mon, 05 Mar 2018 13:55:20 GMT

Thanks!

Dio you recommend the trouble shooting class? Will that help with this stuff?

Re: Why is the Symantec time_format not working?

gjanders — Mon, 05 Mar 2018 21:27:27 GMT

Which troubleshooting class? I'd recommend reading the splunkd logs carefully, I even built an application to detect various errors in the logs called Alerts For Splunk Admins

Although in this case the alerts would just find the date parsing not working, the documentation for Splunk is also quite useful here...