Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to parse epoch time in SNMP log?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to parse epoch time in SNMP log?
I would like to parse timestamp for Windows SNMP logs
Below is log
"{""MibList"":[{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.1.0"",""Value"":""A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXX1$\r\n\tAccount Domain:XXXELEMENTS\r\n\tLogon ID:XXXX\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x2338\r\n\tProcess Name:\tC:\Windows\System32\cmd.exe\r\n\tExit Status:\t0x3\r\n"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.2.0"",""Value"":""Unknown"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.3.0"",""Value"":""hostname.com"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.4.0"",""Value"":""8"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.5.0"",""Value"":""13313"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.6.0"",""Value"":""S-1-5-18"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.7.0"",""Value"":""XXX1$"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.8.0"",""Value"":""ELEMENTS"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.9.0"",""Value"":""0x3e7"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.10.0"",""Value"":""0x3"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.11.0"",""Value"":""0x2338"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.12.0"",""Value"":""C:\Windows\System32\cmd.exe"",""Type"":4}],""GenericTrap"":6,""AgentAddr"":""10.168.10.132"",""SpecificTrap"":4689,""Community"":""test"",""TimeStamp"":1683392789,""Enterprise"":""1.3.6.1.4.1.311.1.13.1.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45.83.101.99.117.114.105.116.121.45.65.117.100.105.116.105.110.103"",""Version"":0,""PDUType"":164}"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try something like this:
MAX_DAYS_HENCE = 10950
MAX_TIMESTAMP_LOOKAHEAD = 100000
NO_BINARY_CHECK = true
TIME_FORMAT = %s
TIME_PREFIX = TimeStamp\"\":
MAX_DAYS_HENCE is optional , I just use this because the sample event you provide has future time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actual timestamp so I need to refine it, i am unable to parse to current year
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest giving below link a read to understand how the timestamp recognition works in Splunk and what all props.conf attributes that can be set.
http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition
For your log file, give this a try
props.conf on Indexer/Heavy Forwarder whichever comes first in data flow
[yourSourceTypeNameHere]
...Line Breaking configuration...
TIME_PREFIX = Timestamp[^\:]+\:
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10
Your timestamp is May 6, 2023, is this just a sample value or actual timestmap on the logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actual timestamp so I need to refine it, i am unable to parse to current year
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
