Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I configure my heavy forwarders to parse the timestamp for a WinRegistry sourcetype?

tkwaller
Builder
‎06-24-2016 09:13 AM

Hello

I'm having an issue with timestamping for my WinRegistry data.
I don't know whether by design, or for some other reason, the timestamp in the logs are as such:

11/02/11154 14:24:53.046

which of course is interpreted incorrectly. These Universal Forwarders forward to a cluster of Heavy Forwarders where an app SHOULD set the timestamp:

[WinRegistry]
DATETIME_CONFIG = CURRENT

but this does not seem to be the case as I have logs that go back to 1969 and forward to 2032.

Any ideas on where the issue may be?

Thanks for the thoughts

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2016 09:50 AM

Your sourcetype must match EXACTLY; does it? You must restart your Splunk instance on the server where you changed this setting.

I would not use this approach, though; I would use SEDCMD to rewrite the timestamp with this:

s/^(\d+\/\d+)\/1115/\1\/2014/

You will have to fix this every New-Year's Eve (or until you can get the log writer/formatter fixed).

Reply

tkwaller
Builder
‎06-24-2016 12:09 PM

Yeah they match, in the app on the UF its:
[source::....winregistry]
sourcetype = WinRegistry

in the props on the HF the stanza is:
[WinRegistry]
DATETIME_CONFIG = CURRENT

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2016 01:31 PM

Did you restart splunk instances?

0 Karma
Reply

tkwaller
Builder
‎06-27-2016 08:36 AM

Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.

0 Karma
Reply

tkwaller
Builder
‎07-13-2016 05:31 AM

I actually have a webex with support on this today. I believe that there's an issue with linebreaking and its inserting values where they should not be and its affecting the timestamp.
Thanks for looking at it!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...