https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue-with-firewall-logs/m-p/528346#M89081 <P>Hi all,</P><P>&nbsp;</P><P>still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using&nbsp;</P><P>TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S<BR />TIME_PREFIX = ^\s*&lt;\d{3}&gt;</P><P>which was suggested in another fortigate ticket without any luck. Any help is appreciated.&nbsp;</P><TABLE><TBODY><TR><TD><SPAN class="formated-time"><SPAN>11/6/20</SPAN><BR /><SPAN>5:00:00.000 AM</SPAN></SPAN></TD><TD><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="json-event wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">&lt;<SPAN class="t">189</SPAN>&gt;<SPAN class="t">logver=602055878</SPAN> <SPAN class="t">timestamp=1604673601</SPAN> <SPAN class="t">tz=</SPAN>"<SPAN class="t">UTC-5:00</SPAN>" <SPAN class="t">devname=</SPAN>"<SPAN class="t">RNHN-FW1800F</SPAN>" <SPAN class="t">devid=</SPAN>"<SPAN class="t">FG181FTK20900192</SPAN>" <SPAN class="t">vd=</SPAN>"<SPAN class="t">CORP</SPAN>" <SPAN class="t">date=2020-11-06</SPAN> <SPAN class="t">time=09:40:01</SPAN> <SPAN class="t">logid=</SPAN>"<SPAN class="t">0001000014</SPAN>" <SPAN class="t">type=</SPAN>"<SPAN class="t">traffic</SPAN>" <SPAN class="t">subtype=</SPAN>"<SPAN class="t">local</SPAN>" <SPAN class="t">level=</SPAN>"<SPAN class="t">notice</SPAN>" <SPAN class="t">eventtime=1604673601539310045</SPAN> <SPAN class="t">tz=</SPAN>"<SPAN class="t">-0500</SPAN>" <SPAN class="t">srcip=87.251.80.10</SPAN> <SPAN class="t">srcport=53887</SPAN> <SPAN class="t">srcintf=</SPAN>"<SPAN class="t">FairPoint_WAN_B</SPAN>" <SPAN class="t">srcintfrole=</SPAN>"<SPAN class="t">wan</SPAN>" <SPAN class="t">dstip=71.181.10.217</SPAN> <SPAN class="t">dstport=2256</SPAN> <SPAN class="t">dstintf=</SPAN>"<SPAN class="t">unknown0</SPAN>" <SPAN class="t">dstintfrole=</SPAN>"<SPAN class="t">undefined</SPAN>" <SPAN class="t">sessionid=45763314</SPAN> <SPAN class="t">proto=6</SPAN> <SPAN class="t">action=</SPAN>"<SPAN class="t">deny</SPAN>" <SPAN class="t">policyid=0</SPAN> <SPAN class="t">policytype=</SPAN>"<SPAN class="t">local-in-policy</SPAN>" <SPAN class="t">service=</SPAN>"<SPAN class="t">tcp/2256</SPAN>" <SPAN class="t">dstcountry=</SPAN>"<SPAN class="t">United</SPAN> <SPAN class="t">States</SPAN>" <SPAN class="t">srccountry=</SPAN>"<SPAN class="t">Russian</SPAN> <SPAN class="t">Federation</SPAN>" <SPAN class="t">trandisp=</SPAN>"<SPAN class="t">noop</SPAN>" <SPAN class="t">app=</SPAN>"<SPAN class="t">tcp/2256</SPAN>" <SPAN class="t">duration=0</SPAN> <SPAN class="t">sentbyte=0</SPAN> <SPAN class="t">rcvdbyte=0</SPAN> <SPAN class="t">sentpkt=0</SPAN> <SPAN class="t">appcat=</SPAN>"<SPAN class="t">unscanned</SPAN>" <SPAN class="t">crscore=5</SPAN> <SPAN class="t">craction=262144</SPAN> <SPAN class="t">crlevel=</SPAN>"<SPAN class="t">low</SPAN>" <SPAN class="t">mastersrcmac=</SPAN>"<SPAN class="t">02:00:40:05:26:15</SPAN>" <SPAN class="t">srcmac=</SPAN>"<SPAN class="t">02:00:40:05:26:15</SPAN>" <SPAN class="t">srcserver=1</SPAN></DIV></DIV></TD></TR></TBODY></TABLE> Fri, 06 Nov 2020 16:03:27 GMT tkerr1357 2020-11-06T16:03:27Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue-with-firewall-logs/m-p/528346#M89081 <P>Hi all,</P><P>&nbsp;</P><P>still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using&nbsp;</P><P>TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S<BR />TIME_PREFIX = ^\s*&lt;\d{3}&gt;</P><P>which was suggested in another fortigate ticket without any luck. Any help is appreciated.&nbsp;</P><TABLE><TBODY><TR><TD><SPAN class="formated-time"><SPAN>11/6/20</SPAN><BR /><SPAN>5:00:00.000 AM</SPAN></SPAN></TD><TD><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="json-event wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">&lt;<SPAN class="t">189</SPAN>&gt;<SPAN class="t">logver=602055878</SPAN> <SPAN class="t">timestamp=1604673601</SPAN> <SPAN class="t">tz=</SPAN>"<SPAN class="t">UTC-5:00</SPAN>" <SPAN class="t">devname=</SPAN>"<SPAN class="t">RNHN-FW1800F</SPAN>" <SPAN class="t">devid=</SPAN>"<SPAN class="t">FG181FTK20900192</SPAN>" <SPAN class="t">vd=</SPAN>"<SPAN class="t">CORP</SPAN>" <SPAN class="t">date=2020-11-06</SPAN> <SPAN class="t">time=09:40:01</SPAN> <SPAN class="t">logid=</SPAN>"<SPAN class="t">0001000014</SPAN>" <SPAN class="t">type=</SPAN>"<SPAN class="t">traffic</SPAN>" <SPAN class="t">subtype=</SPAN>"<SPAN class="t">local</SPAN>" <SPAN class="t">level=</SPAN>"<SPAN class="t">notice</SPAN>" <SPAN class="t">eventtime=1604673601539310045</SPAN> <SPAN class="t">tz=</SPAN>"<SPAN class="t">-0500</SPAN>" <SPAN class="t">srcip=87.251.80.10</SPAN> <SPAN class="t">srcport=53887</SPAN> <SPAN class="t">srcintf=</SPAN>"<SPAN class="t">FairPoint_WAN_B</SPAN>" <SPAN class="t">srcintfrole=</SPAN>"<SPAN class="t">wan</SPAN>" <SPAN class="t">dstip=71.181.10.217</SPAN> <SPAN class="t">dstport=2256</SPAN> <SPAN class="t">dstintf=</SPAN>"<SPAN class="t">unknown0</SPAN>" <SPAN class="t">dstintfrole=</SPAN>"<SPAN class="t">undefined</SPAN>" <SPAN class="t">sessionid=45763314</SPAN> <SPAN class="t">proto=6</SPAN> <SPAN class="t">action=</SPAN>"<SPAN class="t">deny</SPAN>" <SPAN class="t">policyid=0</SPAN> <SPAN class="t">policytype=</SPAN>"<SPAN class="t">local-in-policy</SPAN>" <SPAN class="t">service=</SPAN>"<SPAN class="t">tcp/2256</SPAN>" <SPAN class="t">dstcountry=</SPAN>"<SPAN class="t">United</SPAN> <SPAN class="t">States</SPAN>" <SPAN class="t">srccountry=</SPAN>"<SPAN class="t">Russian</SPAN> <SPAN class="t">Federation</SPAN>" <SPAN class="t">trandisp=</SPAN>"<SPAN class="t">noop</SPAN>" <SPAN class="t">app=</SPAN>"<SPAN class="t">tcp/2256</SPAN>" <SPAN class="t">duration=0</SPAN> <SPAN class="t">sentbyte=0</SPAN> <SPAN class="t">rcvdbyte=0</SPAN> <SPAN class="t">sentpkt=0</SPAN> <SPAN class="t">appcat=</SPAN>"<SPAN class="t">unscanned</SPAN>" <SPAN class="t">crscore=5</SPAN> <SPAN class="t">craction=262144</SPAN> <SPAN class="t">crlevel=</SPAN>"<SPAN class="t">low</SPAN>" <SPAN class="t">mastersrcmac=</SPAN>"<SPAN class="t">02:00:40:05:26:15</SPAN>" <SPAN class="t">srcmac=</SPAN>"<SPAN class="t">02:00:40:05:26:15</SPAN>" <SPAN class="t">srcserver=1</SPAN></DIV></DIV></TD></TR></TBODY></TABLE> Fri, 06 Nov 2020 16:03:27 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue-with-firewall-logs/m-p/528346#M89081 tkerr1357 2020-11-06T16:03:27Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue-with-firewall-logs/m-p/528352#M89082 <P>The TIME_PREFIX value does not match the example data.&nbsp; Try these settings</P><LI-CODE lang="markup">TIME_FORMAT = %Y-%m-%d time=%H:%M:%S TIME_PREFIX = date=</LI-CODE> Fri, 06 Nov 2020 16:43:18 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue-with-firewall-logs/m-p/528352#M89082 richgalloway 2020-11-06T16:43:18Z