Please help me Time_PREFIX

karn · ‎07-02-2018

I have logs that send from syslog server, so there are 2 timestamps. I would like to use 2nd timestamp to be _time by using TIME_PREFIX. However, it doesn't match if the log come from syslog. It's match if using monitor file.

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:59 111.111.111.111 1 2018-06-15T10:06:51.424243+07:00 node01 kernel - - - [9079188.370611] RULE 0 -- ACCEPT IN=eth1 OUT=eth2 MAC=00:50:56:a0:e4:fa:00:50:56:b6:0a:53:08:00 SRC=10.60.0.3 DST=10.99.2.198 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13091 DF PROTO=TCP SPT=55646 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

Jun 15 10:06:58 10.226.48.229 Jun 15 10:06:51 111.111.111.111 haproxy[3645]: 1.46.134.132:2195 [15/Jun/2018:10:06:51.292] https-web~ https-backend/www01 116/0/12/3/131 404 424 - - ---- 3/3/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

My props.conf is

[syslog]
TIME_PREFIX = ^\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD = 16

ddrillic · ‎07-03-2018

You can work interactively with the site. Something like -

niketn · ‎07-03-2018

@karn, you seem to have a whitespace before first timestamp. If that is actually present in your logs you should try the following:

TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX=^\s+\w+\s\d+\s\d+\:\d+\:\d+\s\d+\.\d+\.\d+\.\d+\s
MAX_TIMESTAMP_LOOKAHEAD=15

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ddrillic · ‎07-03-2018

Which line is the syslog?

Please help me Time_PREFIX

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability