Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Has anyone already figure out how to deal with timestamps from windows DNS debug logs?

gfriedmann
Communicator
‎04-09-2011 04:29 AM

I just started logging DNS debug logs from windows DNS servers. With the filename dns.log it is nicely identified as sourcetype=dns.

Timestamps are in the format 3/31/2011

Timestamp translation behaved as expected at first, but it seems that when i parsed a log file that was too far in the past (maybe +7 days?) splunk decided to reverse the order of month and year.

I kinda get why... It is just guess and has to go with it's gut. If the day is not more than 12, the month and day are ambiguous if too far in the past.

Does anyone already have knowhow and pattern to specify this format manually?

"4/8/2011 1:10:57 PM"

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2011 02:19 PM

Try adding a stanza to $SPLUNK_HOME/etc/system/local/props.conf containing this:

[dns]
TIME_FORMAT=%D %r

The docs cover TIME_FORMAT at http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition

View solution in original post

Reply
Solved! Jump to solution

sduff_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 08:53 PM

The original format didn't work for me, but I found the following expression works fine

[dns]
TIME_FORMAT=%e/%m/%Y %I:%M:%S %p
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-09-2011 02:19 PM

Try adding a stanza to $SPLUNK_HOME/etc/system/local/props.conf containing this:

[dns]
TIME_FORMAT=%D %r

The docs cover TIME_FORMAT at http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎06-06-2011 01:26 PM

I found the related problem that was causing a problem. The file i was collecting from did not update the file modified time. For some reason MAX_DAYS_HENCE=2 props.conf default setting was comparing the timestamp against the file-modified time and not the indexing time. I was expecting MAX_DAYS_HENCE= value to apply to the current indexing time and the parsed timestamp... not the file modified time vs the parsed timestamp.

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎06-01-2011 12:40 PM

It was applied on the indexers. I still get inconsistent timestamp extractions. I am deploying universal Forwarder soon, maybe it will help with consistency.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-13-2011 01:20 PM

If you are running an LWF, then this configuration needs to be applied at the indexer, not the forwarder. Where did you apply it?

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎04-13-2011 02:28 AM

Unfortunately, it doesn't seem to be adding the correct date. Maybe i should add that these dns.log files are bing picked up by a windows light forwarder running version 4.1.6. Half of the timestamps are parsed correctly, the other half aren't.

I like your answer though. I really think it is the right answer. Maybe i have a different question i should ask.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...