Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cisco SNMP Incorrect Time Indexed

robgreen1984
New Member
‎11-13-2012 02:07 AM

Hi all,

I am pulling in SNMP polling data from some Cisco devices via shell scripts in Splunk. This all works fine apart from the indexing within Splunk. As the messages I am pulling in start with the date that the Cisco OS was compiled, all of my logs are showing as coming through on the exact same date and time!

An example- At the top of my snmpwalk output, the following is displayed -

Compiled Thu 19-Jul-07 20:06

This means that every log that comes in, Splunk is seeing and logging as from this date and time. That message never changes, so everything comes through under that exact date and time which makes the logs essentially useless. Is there a way I can get Splunk to ignore this line? I am unable to easily parse it during the script process.

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎11-13-2012 02:22 AM

In your shell script , can you prepend a date that you actually want to the SNMP event before outputting it to Splunk ?

Alternatively, you could disable timestamp extraction for these events in props.conf, 

DATETIME_CONFIG=NONE

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎11-13-2012 02:22 AM

In your shell script , can you prepend a date that you actually want to the SNMP event before outputting it to Splunk ?

Alternatively, you could disable timestamp extraction for these events in props.conf, 

DATETIME_CONFIG=NONE
0 Karma
Reply
Solved! Jump to solution

robgreen1984
New Member
‎11-14-2012 04:35 AM

One thing to note- when adding other data sources such as scanned file sources, you need to re-add the DATETIME_CONFIG line in a custom props.conf file under that Data Source

0 Karma
Reply
Solved! Jump to solution

robgreen1984
New Member
‎11-13-2012 02:50 AM

Setting the DATETIME_CONFIG to NONE sorted that out straight away, many thanks for that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...