topic Re: How to parse epoch time in SNMP log? in Getting Data In

How to parse epoch time in SNMP log?

Niraj_Shah — Mon, 21 May 2018 13:27:17 GMT

I would like to parse timestamp for Windows SNMP logs

Below is log

"{""MibList"":[{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.1.0"",""Value"":""A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXX1$\r\n\tAccount Domain:XXXELEMENTS\r\n\tLogon ID:XXXX\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x2338\r\n\tProcess Name:\tC:\Windows\System32\cmd.exe\r\n\tExit Status:\t0x3\r\n"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.2.0"",""Value"":""Unknown"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.3.0"",""Value"":""hostname.com"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.4.0"",""Value"":""8"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.5.0"",""Value"":""13313"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.6.0"",""Value"":""S-1-5-18"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.7.0"",""Value"":""XXX1$"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.8.0"",""Value"":""ELEMENTS"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.9.0"",""Value"":""0x3e7"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.10.0"",""Value"":""0x3"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.11.0"",""Value"":""0x2338"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.12.0"",""Value"":""C:\Windows\System32\cmd.exe"",""Type"":4}],""GenericTrap"":6,""AgentAddr"":""10.168.10.132"",""SpecificTrap"":4689,""Community"":""test"",""TimeStamp"":1683392789,""Enterprise"":""1.3.6.1.4.1.311.1.13.1.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45.83.101.99.117.114.105.116.121.45.65.117.100.105.116.105.110.103"",""Version"":0,""PDUType"":164}"

Re: How to parse epoch time in SNMP log?

somesoni2 — Mon, 21 May 2018 15:44:36 GMT

I would suggest giving below link a read to understand how the timestamp recognition works in Splunk and what all props.conf attributes that can be set.

http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition

For your log file, give this a try

props.conf on Indexer/Heavy Forwarder whichever comes first in data flow

[yourSourceTypeNameHere]
...Line Breaking configuration...
TIME_PREFIX = Timestamp[^\:]+\:
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10

Your timestamp is May 6, 2023, is this just a sample value or actual timestmap on the logs?

Re: How to parse epoch time in SNMP log?

p_gurav — Tue, 29 Sep 2020 19:36:53 GMT

Can you try something like this:

MAX_DAYS_HENCE = 10950
MAX_TIMESTAMP_LOOKAHEAD = 100000
NO_BINARY_CHECK = true
TIME_FORMAT = %s
TIME_PREFIX = TimeStamp\"\":

MAX_DAYS_HENCE is optional , I just use this because the sample event you provide has future time.

Re: How to parse epoch time in SNMP log?

Niraj_Shah — Wed, 23 May 2018 12:45:07 GMT

This is actual timestamp so I need to refine it, i am unable to parse to current year

Re: How to parse epoch time in SNMP log?

Niraj_Shah — Wed, 23 May 2018 12:45:36 GMT

This is actual timestamp so I need to refine it, i am unable to parse to current year