Getting Data In

How to parse epoch time in SNMP log?

Niraj_Shah
New Member

I would like to parse timestamp for Windows SNMP logs

Below is log

"{""MibList"":[{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.1.0"",""Value"":""A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXX1$\r\n\tAccount Domain:XXXELEMENTS\r\n\tLogon ID:XXXX\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x2338\r\n\tProcess Name:\tC:\Windows\System32\cmd.exe\r\n\tExit Status:\t0x3\r\n"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.2.0"",""Value"":""Unknown"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.3.0"",""Value"":""hostname.com"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.4.0"",""Value"":""8"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.5.0"",""Value"":""13313"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.6.0"",""Value"":""S-1-5-18"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.7.0"",""Value"":""XXX1$"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.8.0"",""Value"":""ELEMENTS"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.9.0"",""Value"":""0x3e7"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.10.0"",""Value"":""0x3"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.11.0"",""Value"":""0x2338"",""Type"":4},{""OID"":""1.3.6.1.4.1.311.1.13.1.9999.12.0"",""Value"":""C:\Windows\System32\cmd.exe"",""Type"":4}],""GenericTrap"":6,""AgentAddr"":""10.168.10.132"",""SpecificTrap"":4689,""Community"":""test"",""TimeStamp"":1683392789,""Enterprise"":""1.3.6.1.4.1.311.1.13.1.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45.83.101.99.117.114.105.116.121.45.65.117.100.105.116.105.110.103"",""Version"":0,""PDUType"":164}"

Tags (1)
0 Karma

p_gurav
Champion

Can you try something like this:

MAX_DAYS_HENCE = 10950
MAX_TIMESTAMP_LOOKAHEAD = 100000
NO_BINARY_CHECK = true
TIME_FORMAT = %s
TIME_PREFIX = TimeStamp\"\":

MAX_DAYS_HENCE is optional , I just use this because the sample event you provide has future time.

0 Karma

Niraj_Shah
New Member

This is actual timestamp so I need to refine it, i am unable to parse to current year

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would suggest giving below link a read to understand how the timestamp recognition works in Splunk and what all props.conf attributes that can be set.

http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition

For your log file, give this a try

props.conf on Indexer/Heavy Forwarder whichever comes first in data flow

[yourSourceTypeNameHere]
...Line Breaking configuration...
TIME_PREFIX = Timestamp[^\:]+\:
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 10

Your timestamp is May 6, 2023, is this just a sample value or actual timestmap on the logs?

0 Karma

Niraj_Shah
New Member

This is actual timestamp so I need to refine it, i am unable to parse to current year

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...