SC4S Timestamp Extraction for Custom Inputs

Getting Data In

Hi,

I created my custom input (mytest.conf.tmpl) by coping the /opt/sc4s/local/config/log_paths/lp-example.conf.tmpl. When I send following event to SC4S from port 5144, timestamp is extracted as attach "1/28/21 4:31:30.000 PM" . I see that timestamp is extracted by adding three hours to this (Jan 28 13:21:30 )

However when I read from file mytest123.log, as you can see timestamp is extracted correctly 1:21:27 PM.

props.conf for mytest123.log

[sc4s:forcepoint]

TIME_PREFIX= \srt=

MAX_TIMESTAMP_LOOKAHEAD=15

How can I extract timestamp correctly?

Thanks,

Converted 13 digit epoch time = Thursday, January 28, 2021 1:21:27 PM GMT+03:00

"<13> Jan 28 13:35:04 myhost vendor=myvendor product="My xx Security" version=9.9.9 event=Message dvc=111.111.111.111 dvchost=myhost rt=1611829287000 externalId=999999900000000 messageId=mmmmm suser="abcd@xxx.com" duser="aa.bb@xxxx.com " msg="MY Event""

Get Updates on the Splunk Community!

SC4S Timestamp Extraction for Custom Inputs

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation

SC4S Timestamp Extraction for Custom Inputs

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026