Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to correct an incorrect time value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to correct an incorrect time value?
I have the following event being sent from a Universal Forwarder (UF) syslog server to a standalone instance of Splunk:
4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityc5e81075-f14f-11e3-9b1e-123478563412/cd4c5993-11b0-11e4-92a9-123478563412134.82.79.10S-1-5-21-2136110353-913448559-1712093940-13349falseBUCKNELLleisnhth-aSecurityFile00000000000466;00;015ce358;514e6b60(netspace_departments);/isr/public/www2/bu_only/AICT/images/oversize/IRM195.jpg%%4423 %%1538 2080Read Attributes; Read ACL;
The data is obviously in an XML format. I created a subdirectory within $SPLUNK_HOME/etc/deployment-apps/IA-naaudit and in the default dir I have an inputs.conf:
[monitor:///var/log/rsyslogs/Netapp/audit_svm_netspace_last.xml]
index = netapp
sourcetype = audit
_TCP_ROUTING = dev_splunk
and an outputs.conf
[tcpout:dev_splunk]
server = sptest:9996
I manually replicated these dirs and files on the UF in /opt/splunkforwarder/etc/apps/
I am now receiving the event data shown above.
On the standalone instance I created the dir $SPLUNK_HOME/etc/deployment-apps/TA-naaudit and in the local dir I created
props.conf:
[netapp]
KV_MODE = xml
TIME_PREFIX = \ntscripts\<
DEST_KEY = queue
FORMAT = nullQueue
Here is my problem: from the event you can see that it should have the timestamp "2017-03-27T16:18:55.218021000Z". When I do a search on index=netapp this event (along with a gazillion others) it gets the time stamp "3/27/17 12:40:40.000 PM" which is incorrect.
Also, I'm trying to drop the events with the user "ntscripts" but they show up in the search as well.
Can you tell me where I'm going wrong?
Thanks,
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need this setting, too:
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The directory $SPLUNK_HOME/etc/deployment-apps is for storing the deployment app that you push if your current server is a deployment server. Since you copied the app IA-naaudit with inputs.conf manually on UF, that was fine. You need to place the $SPLUNK_HOME/etc/deployment-apps/TA-naaudit in $SPLUNK_HOME/etc/apps/TA-naaudit directory, place from where your standalone Splunk instance will read/load the configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I used btool and found I wasn't loading that particular props.conf file.
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
