Getting Data In

SC4S Timestamp Extraction for Custom Inputs



I created my custom input (mytest.conf.tmpl) by coping the /opt/sc4s/local/config/log_paths/lp-example.conf.tmpl. When I send following event to SC4S from port 5144, timestamp is extracted as attach "1/28/21 4:31:30.000 PM" . I see that timestamp is extracted by adding three hours to this (Jan 28 13:21:30 )

However when I read from file mytest123.log, as you can see timestamp is extracted correctly 1:21:27 PM.


props.conf for mytest123.log





How can I extract timestamp correctly? 



Converted 13 digit epoch time = Thursday, January 28, 2021 1:21:27 PM GMT+03:00

"<13> Jan 28 13:35:04 myhost vendor=myvendor product="My xx Security" version=9.9.9 event=Message dvc= dvchost=myhost rt=1611829287000 externalId=999999900000000 messageId=mmmmm suser="" duser=" " msg="MY Event""





Labels (1)
0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...