Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify syslog source type to handle rfc3339 timestamp?

chutz
Engager
‎04-25-2020 08:45 AM

We pass messages with rsyslog using the rfc3339 time format. It has microseconds, and it has a timestamp. But noticed a few issues:

  • The time zone is not parsed out of the message. If I remove the microseconds from the timestamp, it would work fine.
  • The host does not get parsed out. Seems to be a problem with the syslog-host transform which does not like the timezone. Dropping the timezone fixes this problem but I would rather keep it.

What would be the best way to proceed?

  • Modify the syslog source type?
  • Create a new source type?
  • Report the issue and hope for a fix?
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2020 09:37 AM

The best approach (IMO) is to create a new sourcetype that parses the data.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2020 09:37 AM

The best approach (IMO) is to create a new sourcetype that parses the data.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!