Getting Data In

Please help me Time_PREFIX


I have logs that send from syslog server, so there are 2 timestamps. I would like to use 2nd timestamp to be _time by using TIME_PREFIX. However, it doesn't match if the log come from syslog. It's match if using monitor file.

Jun 15 10:06:58 Jun 15 10:06:59 1 2018-06-15T10:06:51.424243+07:00 node01 kernel - - - [9079188.370611] RULE 0 -- ACCEPT IN=eth1 OUT=eth2 MAC=00:50:56:a0:e4:fa:00:50:56:b6:0a:53:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13091 DF PROTO=TCP SPT=55646 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

Jun 15 10:06:58 Jun 15 10:06:51 haproxy[3645]: [15/Jun/2018:10:06:51.292] https-web~ https-backend/www01 116/0/12/3/131 404 424 - - ---- 3/3/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

My props.conf is

TIME_PREFIX = ^\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
0 Karma

Ultra Champion

You can work interactively with the site. Something like -

alt text

0 Karma


@karn, you seem to have a whitespace before first timestamp. If that is actually present in your logs you should try the following:

TIME_FORMAT=%b %d %H:%M:%S
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Ultra Champion

Which line is the syslog?

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...