Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Please help me Time_PREFIX

karn
Path Finder
‎07-02-2018 07:59 PM

I have logs that send from syslog server, so there are 2 timestamps. I would like to use 2nd timestamp to be _time by using TIME_PREFIX. However, it doesn't match if the log come from syslog. It's match if using monitor file.

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:59 111.111.111.111 1 2018-06-15T10:06:51.424243+07:00 node01 kernel - - - [9079188.370611] RULE 0 -- ACCEPT IN=eth1 OUT=eth2 MAC=00:50:56:a0:e4:fa:00:50:56:b6:0a:53:08:00 SRC=10.60.0.3 DST=10.99.2.198 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13091 DF PROTO=TCP SPT=55646 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:51 111.111.111.111 haproxy[3645]: 1.46.134.132:2195 [15/Jun/2018:10:06:51.292] https-web~ https-backend/www01 116/0/12/3/131 404 424 - - ---- 3/3/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

My props.conf is 

[syslog]
TIME_PREFIX = ^\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD = 16
0 Karma
Reply

ddrillic
Ultra Champion
‎07-03-2018 06:59 AM

You can work interactively with the site. Something like -

alt text

Preview file
136 KB
0 Karma
Reply

niketn
Legend
‎07-03-2018 06:55 AM

@karn, you seem to have a whitespace before first timestamp. If that is actually present in your logs you should try the following:

TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX=^\s+\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD=15
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

ddrillic
Ultra Champion
‎07-03-2018 06:51 AM

Which line is the syslog?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...