Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Optimizing custom log formats

travispowell
Path Finder
‎04-19-2011 10:39 AM

I read a post on the site describing how an optimum custom log format for Splunk would take the form:

<timestamp> key=val key=val key=val key=val

...and I tried to build a log formatter for our in-house software that would write logs like this. I'm trying out Splunk, and trying to figure out why it doesn't pick up the timestamps for what they are. Here's a single log entry (the first number is a UNIX timestamp):

1303115585 SESSION_KEY=56c2964bce6b36da9e895c5be963584a REMOTE_ADDRESS=65.13.25.203 CANISTER_LSSN=LSSN_20110418_MASTER.dat CANISTER_SESSION_ID=153051 SID=7B019FB669961069023EADEB66C4E2BE UID=6C6838A20A1E100A01139E8210F7048E VID= CANISTER_SERVER=MASTER:19000 DURATION=103 HCOUNT=2 HTTP_USER_AGENT=Windows-RSS-Platform/2.0_(MSIE_8.0;_Windows_NT_5.1) EXTRACTID=1303156352 LINK=http:\/\/MASTER:19000/Session.rfx?canName%3DCANISTER.dbs\LSSN_20110418_MASTER.dat&sessionId%3D153051

I'm wondering if the link at the end if causing me grief, but I even encoded the '=' and replaced the spaces in the HTTP_USER_AGENT field with underscores.

So am I right to assume that I have to teach it how to read my dates with the >splunk train command? Does Splunk not auto-extract UNIX timestamps?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-19-2011 12:04 PM

There was a bug related to auto-detecting an epoch time format, fixed in 4.2.1. You can see a set of workarounds at http://www.splunk.com/base/Documentation/4.2/ReleaseNotes/Knownissues. My personal preference is to explicitly set TIME_FORMAT for my sourcetypes so there is no guessing as to how the time is parsed.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-19-2011 12:04 PM

There was a bug related to auto-detecting an epoch time format, fixed in 4.2.1. You can see a set of workarounds at http://www.splunk.com/base/Documentation/4.2/ReleaseNotes/Knownissues. My personal preference is to explicitly set TIME_FORMAT for my sourcetypes so there is no guessing as to how the time is parsed.

Reply
Solved! Jump to solution

travispowell
Path Finder
‎04-19-2011 04:43 PM

SOLVED: I ended up setting the TIME_FORMAT. Thanks

0 Karma
Reply
Solved! Jump to solution

travispowell
Path Finder
‎04-19-2011 12:14 PM

Guess that's what I'll have to do. I don't think it's entirely fixed.
Thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...