<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic SC4S Timestamp Extraction for Custom Inputs in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/SC4S-Timestamp-Extraction-for-Custom-Inputs/m-p/537638#M90101</link>
    <description>&lt;P&gt;Hi,&amp;nbsp;&lt;/P&gt;&lt;P&gt;I created my custom input (mytest.conf.tmpl) by coping the&amp;nbsp;&lt;SPAN class="s1"&gt;/opt/sc4s/local/config/log_paths/&lt;/SPAN&gt;&lt;SPAN class="s1"&gt;lp-example.conf.tmpl. When I send following event to SC4S from port 5144, timestamp is extracted as attach "1/28/21 4:31:30.000 PM" . I see that timestamp is extracted by adding three hours to this (&lt;SPAN&gt;Jan 28 13:21:30&amp;nbsp;&lt;/SPAN&gt;)&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;However when I read from file mytest123.log, as you can see timestamp is extracted correctly&amp;nbsp;&lt;SPAN&gt;1:21:27 PM.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;&lt;SPAN&gt;props.conf for mytest123.log&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;[sc4s:forcepoint]&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;TIME_PREFIX= \srt=&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;MAX_TIMESTAMP_LOOKAHEAD=15&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;How can I extract timestamp correctly?&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;Thanks,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Converted 13 digit epoch time = Thursday, January 28, 2021 1:21:27 PM&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A title="convert to other time zones" href="https://www.epochconverter.com/timezones?q=1611829287000" target="_blank" rel="noopener"&gt;GMT+03:00&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;"&lt;/SPAN&gt;&lt;SPAN&gt;&amp;lt;13&amp;gt; Jan 28 13:35:04 myhost &lt;/SPAN&gt;&lt;SPAN&gt;vendor=myvendor product="My xx Security" version=9.9.9 event=Message dvc=111.111.111.111 dvchost=&lt;/SPAN&gt;&lt;SPAN&gt;myhost rt=1611829287000&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;externalId=999999900000000 messageId=mmmmm suser="abcd@xxx.com" duser="aa.bb@xxxx.com " msg="MY Event""&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mytest.png" style="width: 999px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/12720i82CF4AB10F0784D4/image-size/large?v=v2&amp;amp;px=999" role="button" title="mytest.png" alt="mytest.png" /&gt;&lt;/span&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mytest1.png" style="width: 999px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/12719i80B368884C431ABA/image-size/large?v=v2&amp;amp;px=999" role="button" title="mytest1.png" alt="mytest1.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 28 Jan 2021 14:39:00 GMT</pubDate>
    <dc:creator>mbozbura</dc:creator>
    <dc:date>2021-01-28T14:39:00Z</dc:date>
    <item>
      <title>SC4S Timestamp Extraction for Custom Inputs</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/SC4S-Timestamp-Extraction-for-Custom-Inputs/m-p/537638#M90101</link>
      <description>&lt;P&gt;Hi,&amp;nbsp;&lt;/P&gt;&lt;P&gt;I created my custom input (mytest.conf.tmpl) by coping the&amp;nbsp;&lt;SPAN class="s1"&gt;/opt/sc4s/local/config/log_paths/&lt;/SPAN&gt;&lt;SPAN class="s1"&gt;lp-example.conf.tmpl. When I send following event to SC4S from port 5144, timestamp is extracted as attach "1/28/21 4:31:30.000 PM" . I see that timestamp is extracted by adding three hours to this (&lt;SPAN&gt;Jan 28 13:21:30&amp;nbsp;&lt;/SPAN&gt;)&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;However when I read from file mytest123.log, as you can see timestamp is extracted correctly&amp;nbsp;&lt;SPAN&gt;1:21:27 PM.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;&lt;SPAN&gt;props.conf for mytest123.log&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;[sc4s:forcepoint]&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;TIME_PREFIX= \srt=&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;MAX_TIMESTAMP_LOOKAHEAD=15&lt;/SPAN&gt;&lt;/P&gt;&lt;P class="p1"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="p1"&gt;&lt;SPAN class="s1"&gt;How can I extract timestamp correctly?&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;Thanks,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Converted 13 digit epoch time = Thursday, January 28, 2021 1:21:27 PM&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A title="convert to other time zones" href="https://www.epochconverter.com/timezones?q=1611829287000" target="_blank" rel="noopener"&gt;GMT+03:00&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;"&lt;/SPAN&gt;&lt;SPAN&gt;&amp;lt;13&amp;gt; Jan 28 13:35:04 myhost &lt;/SPAN&gt;&lt;SPAN&gt;vendor=myvendor product="My xx Security" version=9.9.9 event=Message dvc=111.111.111.111 dvchost=&lt;/SPAN&gt;&lt;SPAN&gt;myhost rt=1611829287000&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;externalId=999999900000000 messageId=mmmmm suser="abcd@xxx.com" duser="aa.bb@xxxx.com " msg="MY Event""&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mytest.png" style="width: 999px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/12720i82CF4AB10F0784D4/image-size/large?v=v2&amp;amp;px=999" role="button" title="mytest.png" alt="mytest.png" /&gt;&lt;/span&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mytest1.png" style="width: 999px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/12719i80B368884C431ABA/image-size/large?v=v2&amp;amp;px=999" role="button" title="mytest1.png" alt="mytest1.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="s1"&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 28 Jan 2021 14:39:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/SC4S-Timestamp-Extraction-for-Custom-Inputs/m-p/537638#M90101</guid>
      <dc:creator>mbozbura</dc:creator>
      <dc:date>2021-01-28T14:39:00Z</dc:date>
    </item>
  </channel>
</rss>

