I would like to parse timestamp for Windows SNMP logs
Below is log
"{""MibList"":[{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.1.0"",""Value"":""A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXX1$\r\n\tAccount Domain:XXXELEMENTS\r\n\tLogon ID:XXXX\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x2338\r\n\tProcess Name:\tC:\Windows\System32\cmd.exe\r\n\tExit Status:\t0x3\r\n"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.2.0"",""Value"":""Unknown"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.3.0"",""Value"":""hostname.com"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.4.0"",""Value"":""8"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.5.0"",""Value"":""13313"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.6.0"",""Value"":""S-1-5-18"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.7.0"",""Value"":""XXX1$"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.8.0"",""Value"":""ELEMENTS"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.9.0"",""Value"":""0x3e7"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.10.0"",""Value"":""0x3"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.11.0"",""Value"":""0x2338"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.12.0"",""Value"":""C:\Windows\System32\cmd.exe"",""Type"":4}],""GenericTrap"":6,""AgentAddr"":""10.168.10.132"",""SpecificTrap"":4689,""Community"":""test"",""TimeStamp"":1683392789,""Enterprise"":""1.3.6.1.4.1.311.1.13.1.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45.83.101.99.117.114.105.116.121.45.65.117.100.105.116.105.110.103"",""Version"":0,""PDUType"":164}"
Can you try something like this:
MAX_DAYS_HENCE = 10950
MAX_TIMESTAMP_LOOKAHEAD = 100000
NO_BINARY_CHECK = true
TIME_FORMAT = %s
TIME_PREFIX = TimeStamp\"\":
MAX_DAYS_HENCE is optional , I just use this because the sample event you provide has future time.
This is actual timestamp so I need to refine it, i am unable to parse to current year
I would suggest giving below link a read to understand how the timestamp recognition works in Splunk and what all props.conf attributes that can be set.
http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition
For your log file, give this a try
props.conf on Indexer/Heavy Forwarder whichever comes first in data flow
[yourSourceTypeNameHere]
...Line Breaking configuration...
TIME_PREFIX = Timestamp[^\:]+\:
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10
Your timestamp is May 6, 2023, is this just a sample value or actual timestmap on the logs?
This is actual timestamp so I need to refine it, i am unable to parse to current year