Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need assistance in setting a sourcetype--date/time

NanSplk01
Communicator
‎07-29-2024 11:59 AM

I am trying to create a sourcetype for a new client:

Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype? 

C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56

 

any assistance would be very helpful and appreciated.

Labels (2)
Labels
0 Karma
Reply

NanSplk01
Communicator
‎07-29-2024 12:33 PM

It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would be a xml document that pushes out the log file.  I've not seen one like it before.  I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:30 AM

While every sourcetype should have props defined, this may be beyond what transforms can do.  Timestamp extraction happens before transforms are applied, which is why I suggested an input script do the work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2024 12:20 PM

Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is.

Is that one event or several?  Or is that the prologue to the log file?

You may be able to use a custom datetime.xml file or you may want to consider an input script that normalizes the timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply

NanSplk01
Communicator
‎07-30-2024 09:11 AM

Well, I did find another line which has the date and time, but it's over 15 lines into the log file.  We need to start with the first line which is the beginning of the stanza, but get the timestamp which is 15th line showing after the opening line shown below

C:\Program Files\Universal\UAGSrv\xxxl_p01.nam>set StartDate=Tue 07/23/2024 

This is the actual timestamp which I think would work since it has both date and time (hoping that's what the _80514 is the time??

 Files\Universal\UAGSrv\xxx_p01.nam>set timestamp=20240723_80514

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:11 PM

You probably could define TIME_PREFIX to find that timestamp.  However, is the timestamp present for every event or just once in the file?  If the latter, then start writing code to re-process that file into something Splunk can ingest more easily.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...