we saw this log from cisco IOS in splunk:
...Jul 4 16:43:42 HOSTNAME 19028: 10.1.1: Jul 4 16:43:42.804: %LINE.....
and this from a WLC:
...Jul 4 16:44:46 wlc-xxx WLXxxxxx: spamApTa7: Jul 04 16:44:46.583: %CAPWAP
Please find the date definition with a leading zero and without.
To speedup splunk index processing we would like to give Splunk a hint how to extract the time with the miliseconds. Per default there is no extraction of the partial seconds.
Using the splunkta for extraction splunk uses the syslog time as the messages reaches the indexer. Splunk does not use the internal time:
Jul 4 17:07:24 hostx 9481: 10.251.8.4: Jul 4 17:07:23.279: %PM-4-ERRDISABLE: bpduguard XXXXX
How can we help the index time processing to extract the correct time with miliseconds with both types of syslog-typs in one index?
Or is it better to seperate the wlc and ios? Can we then use the Cisco-Dashboard app anymore as we have two indexes?
@tfechner, I think Docs needs correction to description. However, as per Unix documentation %d picks up both date prefixed with 0 and not prefixed with 0. http://pubs.opengroup.org/onlinepubs/7908799/xsh/strptime.html
Following is a run anywhere search to demo _time being set from time field with both kind of dates.
| makeresults | eval data="time=\"Jul 4 16:43:42.804\",time=\"Jul 04 16:44:46.583\"" | makemv data delim="," | mvexpand data | rename data as _raw | KV | eval _time=strptime(time,"%b %d %H:%M:%S.%3N")
To answer your other question, you should ideally create two different sourcetypes for data coming in two different formats from two systems. You can correlate them afterwards as per your requirement.
you will have to set a TIMEFORMAT and TIMEPREFIX for the cisco:ios sourcetype (see props.conf)
Use something like Rubular.com to test it.
For TIME_PREFIX this may work:
TIME_PREFIX = \S+:\s\S+:\s
However you may have false positives as it is very generic.
Regarding TIME_FORMAT you may have issues with the asterisk. For IOS devices the asterisk is there to indicate that the time is not synced with NTP (ref. https://networkengineering.stackexchange.com/questions/10168/interpreting-cisco-logging-symbols), but I am not sure if the meaning is the same for WLC.
I prefer to trust the syslog server time instead of the device time for Cisco networking devices, but maybe that's just me.
The asterix is a typo... 🙂
The problem is to extract the time and date! (23:59:59-offset) - not the prefix.. The time format string according https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Commontimeformatvariables has no day extracting string for number with and without leading zero. You can use %d or $e. There is no %XXX as for minutes like %M (do not care about leading zero)