Re: Extract timestamp in db2audit

edwardman88 · ‎06-04-2014

Hi, I need Splunk to recognize the timestamps down to microseconds.

A sample event is listed below

"2014-06-03-18.30.02.188462","SYSADMIN","DB2AUDIT",2,0,"","dsbdbadm","DSBDBADM",,,"*LOCAL.dsbdbadm.140603103002","db2audit",,,,,,,,,,,,,,,

test]
TIME_PREFIX = ^"
TIME_FORMAT = %Y-%m-%d-%H.%M.%S.%6N

But didn’t work.
Any suggestion?

Thanks.

edwardman88 · ‎06-04-2014

I try to change the setting

In the props.conf
[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=\"%Y-%m-%d-%H.%M.%S.%6N\"
In the inputs.conf

[monitor:///audit/03/instance/audit.del]
sourcetype = test
source = sat
index = sat

But splunk still can't get the log

We try delete the microseconds in the audit.del, the splunk can get the log.

Please advise!

somesoni2 · ‎06-04-2014

This worked fine with your sample data

[timetest]
SHOULD_LINEMERGE=false
TIME_FORMAT=\"%Y-%m-%d-%H.%M.%S.%6N\"

richgalloway · ‎06-04-2014

Have you tried omitting TIME_PREFIX?

---
If this reply helps you, Karma would be appreciated.

Extract timestamp in db2audit