Getting Data In

Help modifying timestamps


I have Nessus event data that looks like this:

4/7/11 5:26:42.000 PM host_end Thu Apr 7 17:26:42 2011
4/7/11 5:23:58.000 PM 10.11.5 irdmi (8000/tcp) 33817
4/7/11 5:23:58.000 PM 10.11.5 irdmi (8000/tcp) 47830
4/7/11 5:19:22.000 PM 10.11.5 irdmi (8000/tcp) 10815

If I want all of the events for to have the timestamp of the result that contains host_end, what's the best way to do that? I've tried using transaction to group the events and then use rex and mvexpand to pull them out again. The problem is that those field extractions are really expensive when you're dealing with 50,000 events in a vulnerability scan.

Any help would be appreciated.



Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I suppose I would ask why you want those timestamps to be all the same ultimately, i.e. what are you doing with this data that they need identical timestamps, and if they do need them, what field you are using and what you are doing with them. It's possible that this is an unnecessary intermediate step in achieving your final result.

Also, if in fact the timestamps on the data is actually incorrect, perhaps it might be possible to set them correctly on input. That depends on the grouping and ordering of the data in the first place though, e.g. whether it comes in files, whether events from different hosts and times are in the same file, whether individual events are interleaved, etc.

0 Karma


I found one way to do it, though it isn't all that elegant. I searched the scan results for all of the host_start entry and then deduped them by host. That gives me the time of the most recent scan. The host and _time field are exported to a lookup table.

I then search on the scan results, do a lookup to get the most recent scan time, and then use "where" to filter results where the _time field is less than the _time field from the lookup table.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...