Getting Data In

SC4S Timestamp Extraction for Custom Inputs

mbozbura
Engager

Hi, 

I created my custom input (mytest.conf.tmpl) by coping the /opt/sc4s/local/config/log_paths/lp-example.conf.tmpl. When I send following event to SC4S from port 5144, timestamp is extracted as attach "1/28/21 4:31:30.000 PM" . I see that timestamp is extracted by adding three hours to this (Jan 28 13:21:30 )

However when I read from file mytest123.log, as you can see timestamp is extracted correctly 1:21:27 PM.

 

props.conf for mytest123.log

[sc4s:forcepoint]

TIME_PREFIX= \srt=

MAX_TIMESTAMP_LOOKAHEAD=15

 

How can I extract timestamp correctly? 

Thanks,

 

Converted 13 digit epoch time = Thursday, January 28, 2021 1:21:27 PM GMT+03:00

"<13> Jan 28 13:35:04 myhost vendor=myvendor product="My xx Security" version=9.9.9 event=Message dvc=111.111.111.111 dvchost=myhost rt=1611829287000 externalId=999999900000000 messageId=mmmmm suser="abcd@xxx.com" duser="aa.bb@xxxx.com " msg="MY Event""

mytest.png

mytest1.png

 

 





Labels (1)
0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...