Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to achieve multiple timestamps in single log file?

bhavneeshvohra
Engager
‎06-22-2022 04:18 AM

I am onboarding data from trend micro portable security via HEC. As per the documentation of trend micro it needs 5 indexes to be created at splunk end namely scanned log,detectedlog,assetinfo,updateinfo,application info . We have created these indexes on the HF and used the following transforms to send it to a single index in the indexers.

The transforms used is

[trendmicro_routing]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = app_trendmicro

also we have created different sourcetypes for each of the 5 categories of logs (scanned log,detectedlog,assetinfo,updateinfo,application info ).

The transforms stanzas used are

[tmps_scannedlogs]
REGEX = scannedFiles\=
FORMAT = sourcetype::tmps_scannedlogs
DEST_KEY = MetaData:Sourcetype

[tmps_detectedlogs]
REGEX = threatType\=
FORMAT = sourcetype::tmps_detectedlogs
DEST_KEY = MetaData:Sourcetype

[tmps_assetinfo]
REGEX = physicalMemory\=
FORMAT = sourcetype::tmps_assetinfo
DEST_KEY = MetaData:Sourcetype

[tmps_applicationinfo]
REGEX = installPath\=
FORMAT = sourcetype::tmps_applicationinfo
DEST_KEY = MetaData:Sourcetype

[tmps_updateinfo]
REGEX = ^(?!.*(scannedFiles|threatType|physicalMemory|installPath)).*
FORMAT = sourcetype::tmps_updateinfo
DEST_KEY = MetaData:Sourcetype

Now the scanned and detected logs have a different time format which is like ->

startTime=Jun 13 2022 14:29:4

Asset info logs have a different  time format like ->

systemDateAndTime=16062022 12:47:26

and rest of the log types (updateinfo,applicatioinfo) does not have a timestamp.

And what i understand is we can not apply timestamp settings after routing it to different sourcetypes.

How to make splunk  parse different timeformat and apply proper settings???

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-22-2022 05:18 AM

Hi

you need to define those on HF side in props.conf to recognise different time stamps. Just in same place where you are calling those transforms. Just different definition based on original sourcetype.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...