Getting Data In

Please help me Time_PREFIX

karn
Explorer

I have logs that send from syslog server, so there are 2 timestamps. I would like to use 2nd timestamp to be _time by using TIME_PREFIX. However, it doesn't match if the log come from syslog. It's match if using monitor file.

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:59 111.111.111.111 1 2018-06-15T10:06:51.424243+07:00 node01 kernel - - - [9079188.370611] RULE 0 -- ACCEPT IN=eth1 OUT=eth2 MAC=00:50:56:a0:e4:fa:00:50:56:b6:0a:53:08:00 SRC=10.60.0.3 DST=10.99.2.198 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13091 DF PROTO=TCP SPT=55646 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:51 111.111.111.111 haproxy[3645]: 1.46.134.132:2195 [15/Jun/2018:10:06:51.292] https-web~ https-backend/www01 116/0/12/3/131 404 424 - - ---- 3/3/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

My props.conf is

[syslog]
TIME_PREFIX = ^\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD = 16
0 Karma

ddrillic
Ultra Champion

You can work interactively with the site. Something like -

alt text

0 Karma

niketn
Legend

@karn, you seem to have a whitespace before first timestamp. If that is actually present in your logs you should try the following:

TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX=^\s+\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD=15
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ddrillic
Ultra Champion

Which line is the syslog?

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...