Solved: Cisco SNMP Incorrect Time Indexed

robgreen1984 · ‎11-13-2012

Hi all,

I am pulling in SNMP polling data from some Cisco devices via shell scripts in Splunk. This all works fine apart from the indexing within Splunk. As the messages I am pulling in start with the date that the Cisco OS was compiled, all of my logs are showing as coming through on the exact same date and time!

An example- At the top of my snmpwalk output, the following is displayed -

Compiled Thu 19-Jul-07 20:06

This means that every log that comes in, Splunk is seeing and logging as from this date and time. That message never changes, so everything comes through under that exact date and time which makes the logs essentially useless. Is there a way I can get Splunk to ignore this line? I am unable to easily parse it during the script process.

Thanks

Damien_Dallimor · ‎11-13-2012

In your shell script , can you prepend a date that you actually want to the SNMP event before outputting it to Splunk ?

Alternatively, you could disable timestamp extraction for these events in props.conf,

DATETIME_CONFIG=NONE

View solution in original post

Damien_Dallimor · ‎11-13-2012

In your shell script , can you prepend a date that you actually want to the SNMP event before outputting it to Splunk ?

Alternatively, you could disable timestamp extraction for these events in props.conf,

DATETIME_CONFIG=NONE

robgreen1984 · ‎11-14-2012

One thing to note- when adding other data sources such as scanned file sources, you need to re-add the DATETIME_CONFIG line in a custom props.conf file under that Data Source

robgreen1984 · ‎11-13-2012

Setting the DATETIME_CONFIG to NONE sorted that out straight away, many thanks for that.

Cisco SNMP Incorrect Time Indexed

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...