Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need assistance in setting a sourcetype--date/time

NanSplk01
Communicator
‎07-29-2024 11:59 AM

I am trying to create a sourcetype for a new client:

Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype? 

C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56

 

any assistance would be very helpful and appreciated.

Labels (2)
Labels
0 Karma
Reply

NanSplk01
Communicator
‎07-29-2024 12:33 PM

It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would be a xml document that pushes out the log file.  I've not seen one like it before.  I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:30 AM

While every sourcetype should have props defined, this may be beyond what transforms can do.  Timestamp extraction happens before transforms are applied, which is why I suggested an input script do the work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2024 12:20 PM

Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is.

Is that one event or several?  Or is that the prologue to the log file?

You may be able to use a custom datetime.xml file or you may want to consider an input script that normalizes the timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply

NanSplk01
Communicator
‎07-30-2024 09:11 AM

Well, I did find another line which has the date and time, but it's over 15 lines into the log file.  We need to start with the first line which is the beginning of the stanza, but get the timestamp which is 15th line showing after the opening line shown below

C:\Program Files\Universal\UAGSrv\xxxl_p01.nam>set StartDate=Tue 07/23/2024 

This is the actual timestamp which I think would work since it has both date and time (hoping that's what the _80514 is the time??

 Files\Universal\UAGSrv\xxx_p01.nam>set timestamp=20240723_80514

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:11 PM

You probably could define TIME_PREFIX to find that timestamp.  However, is the timestamp present for every event or just once in the file?  If the latter, then start writing code to re-process that file into something Splunk can ingest more easily.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...