Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify syslog source type to handle rfc3339 timestamp?

chutz
Engager
‎04-25-2020 08:45 AM

We pass messages with rsyslog using the rfc3339 time format. It has microseconds, and it has a timestamp. But noticed a few issues:

  • The time zone is not parsed out of the message. If I remove the microseconds from the timestamp, it would work fine.
  • The host does not get parsed out. Seems to be a problem with the syslog-host transform which does not like the timezone. Dropping the timezone fixes this problem but I would rather keep it.

What would be the best way to proceed?

  • Modify the syslog source type?
  • Create a new source type?
  • Report the issue and hope for a fix?
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2020 09:37 AM

The best approach (IMO) is to create a new sourcetype that parses the data.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2020 09:37 AM

The best approach (IMO) is to create a new sourcetype that parses the data.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...