Getting Data In

How to parse epoch time in SNMP log?

Niraj_Shah
New Member

I would like to parse timestamp for Windows SNMP logs

Below is log

"{""MibList"":[{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.1.0"",""Value"":""A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXX1$\r\n\tAccount Domain:XXXELEMENTS\r\n\tLogon ID:XXXX\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x2338\r\n\tProcess Name:\tC:\Windows\System32\cmd.exe\r\n\tExit Status:\t0x3\r\n"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.2.0"",""Value"":""Unknown"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.3.0"",""Value"":""hostname.com"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.4.0"",""Value"":""8"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.5.0"",""Value"":""13313"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.6.0"",""Value"":""S-1-5-18"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.7.0"",""Value"":""XXX1$"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.8.0"",""Value"":""ELEMENTS"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.9.0"",""Value"":""0x3e7"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.10.0"",""Value"":""0x3"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.11.0"",""Value"":""0x2338"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.12.0"",""Value"":""C:\Windows\System32\cmd.exe"",""Type"":4}],""GenericTrap"":6,""AgentAddr"":""10.168.10.132"",""SpecificTrap"":4689,""Community"":""test"",""TimeStamp"":1683392789,""Enterprise"":""1.3.6.1.4.1.311.1.13.1.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45.83.101.99.117.114.105.116.121.45.65.117.100.105.116.105.110.103"",""Version"":0,""PDUType"":164}"

Tags (1)
0 Karma

p_gurav
Champion

Can you try something like this:

MAX_DAYS_HENCE = 10950
MAX_TIMESTAMP_LOOKAHEAD = 100000
NO_BINARY_CHECK = true
TIME_FORMAT = %s
TIME_PREFIX = TimeStamp\"\":

MAX_DAYS_HENCE is optional , I just use this because the sample event you provide has future time.

0 Karma

Niraj_Shah
New Member

This is actual timestamp so I need to refine it, i am unable to parse to current year

0 Karma

somesoni2
Revered Legend

I would suggest giving below link a read to understand how the timestamp recognition works in Splunk and what all props.conf attributes that can be set.

http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition

For your log file, give this a try

props.conf on Indexer/Heavy Forwarder whichever comes first in data flow

[yourSourceTypeNameHere]
...Line Breaking configuration...
TIME_PREFIX = Timestamp[^\:]+\:
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10

Your timestamp is May 6, 2023, is this just a sample value or actual timestmap on the logs?

0 Karma

Niraj_Shah
New Member

This is actual timestamp so I need to refine it, i am unable to parse to current year

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...