Getting Data In

Extract epoch and tai64 time from imported event

Explorer

Hi

Do you have any idea to decode Epoch time and Tai64 encoded time?

I have several device their time is as below..

completely have no idea on Tai64. for Epoch, I tried to put following in props.conf

[sourcetype]
TIME_FORMAT = %s  

but do not work .

Time is Tai64

@400000004de5bcd921686bec tcpserver: status: 0/40
@400000004de5bcd921686034 tcpserver: end 10611 status 256
@400000004de5bcd91d08caec tcpserver: ok 10611 0:192.168.2.33:110 :192.168.1.102::2029
@400000004de5bcd91d08c704 tcpserver: pid 10611 from 192.168.1.102

Time is Epoch

1303380720.401    399 192.168.3.32 TCP_MISS/000 3437 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/4/0/str%3d0001.0A3D0009.4DB002F2.0054%2css%3d4%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:18:: PROTOCOL-STAT:a@b.c:<SNT115-W4378F7332227898850E657AE920@phx.gbl>: PROXY-ERROR::

1303365337.779    410 192.168.3.32 TCP_MISS/000 3313 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DB.0037%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:1:3393:192.168.3.32:1:0:13:: PROTOCOL-STAT:a@b.c:<418ea2af3d2ec5aebde87ee2c78309ad@edm04.01webdesign.com.hk>: PROXY-ERROR::

1303365336.935    404 192.168.3.32 TCP_MISS/000 3308 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DA.0054%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:16:: PROTOCOL-STAT:a@b.c:<fa4fe4d1cb0c21701daea014a61fdde7@edm04.01webdesign.com.hk>: PROXY-ERROR::
Tags (2)

Esteemed Legend

You cannot tell Splunk the TIME_FORMAT for Tai64 but if you tell Splunk TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD, it will get it automatically correct (except for sub-seconds) and it should work for both epoch and Tai64:

[sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 26
0 Karma