Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Checkpoint Firewall Logs in Splunk

dpatnam
Path Finder
‎04-05-2011 03:04 PM

Hello All,

I am trying to import some of my Checkpoint firewall logs into Splunk. I tried to setup a sample input to index the text format of these logs, but am running into issues with the header and timestamp extraction -

Here's a sample (pruned down) semi-colon separated input from the logs -

num;date;time;orig;type
0;22Mar2011;0:55:11;0.0.0.0;control
1;21Mar2011;7:09:41;0.0.0.1;log

Here are the entries in my props.conf to extract the timestamp and the header info for these logs - 

TIME_PREFIX = ^\d+;
TIME_FORMAT = %DD%MMM%YYYY;%H:%M:%S
SHOULD_LINEMERGE = false
TZ=GMT
CHECK_FOR_HEADER = true

However, it looks like Splunk is only recognizing the time and the timezone configuration but it is setting the date to the current day (Apr 5th) and is also not extracting any of the headers for the events. Any help in figuring out where I am going wrong would be greatly appreciated.

Thank you.

Tags (1)
0 Karma
Reply

hazekamp
Builder
‎04-05-2011 04:19 PM

dpatnam,

For TIME_FORMAT be sure to use strptime specifiers like so:

TIME_FORMAT = %d%B%Y;%H:%M:%S

See also: http://docs.python.org/library/time.html

0 Karma
Reply

dpatnam
Path Finder
‎04-05-2011 05:20 PM

Thanks hazedav and gkanapathy. I went the FIELDS/DELIMS route and got the header extraction to work as well.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-05-2011 04:50 PM

Agree with Dave. Do not use CHECK_FOR_HEADER, certainly not if your fields are known and fixed. Just specify the fields and delims manually.

0 Karma
Reply

hazekamp
Builder
‎04-05-2011 04:41 PM

I would highly discourage CHECK_FOR_HEADER and recommend FIELDS/DELIMS

Reply

dpatnam
Path Finder
‎04-05-2011 04:34 PM

Thanks hazedav. Just a shortwhile before you posted the answers, I found another link that has all the time specifiers (http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html)

After referring to the specifiers in this link , I changed the TIME_FORMAT as shown below and am now able to extract the correct date as well.

TIME_FORMAT = %d%b%Y;%H:%M:%S

The only outstanding item for me now is the header extraction. I am still looking into this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...