Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Single server timestamp issues

tpa_splunk
Loves-to-Learn Lots
‎01-27-2021 02:50 PM

Hello all,

I am currently running into issues with netscaler logs with the following format: 

2021-01-28T06:14:09.884506+08:00 10.10.10.10 01/27/2021:14:14:14 hostname

I have used the following props to successfully set time format to the second time zone on other heavy forwarders but have been unable to successfully apply it on this heavy forwarder: 

 

TIME_FORMAT = ^\S\s+\S+\s+
TIME_PREFIX = %m/%d/%Y:%H:%M:%S

I have also tried using a transforms to strip the original header and used the following configs with those logs:

999.999.999.999 01/27/2021:14:14:14 hostname

 

TIME_FORMAT = ^\S\s+
TIME_PREFIX = %m/%d/%Y:%H:%M:%S

 

When going to GUI of HF, and trying to index this file once Splunk says that it fails to parse timestamp and is reverting to modtime of file. I am not sure where the error could be as I copied a working config from a different forwarder. I have also tried more specific regex using the following:

 

TIME_FORMAT = ^\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d+\+\d+\:\d+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+

 

and still receive an error. Both servers are running 8.0.3 and the file is being written to disk on the forwarder with props applied. rewritten the props multiple times and removed all spaces to ensure something wasn't being added by default. When I load the citrix_netscaler sourcetype in getting data in the regex shows up with an error. If I cut and repaste it matches time zone successfully. After saving the errors come backs up. Any advice on this would be appreciated. 

 

Labels (2)
Labels
0 Karma
Reply

harishraj12
Engager
‎01-27-2021 03:01 PM

Try this,

TIME_PREFIX = ^\S+\s\S+\s
TIME_FORMAT = %m/%d/%Y:%H:%M:%S

0 Karma
Reply

tpa_splunk
Loves-to-Learn Lots
‎01-27-2021 05:36 PM

Same result, also tried using the literal hostname in the TIME_PREFIX as it is the same for this instance and had no luck. Can you think of any reason that the TIME_FORMAT would be valid for one instance and not for another when both are running at 8.0.3? The only difference between the logs is that the ones that are working have a hostname in front of the time and these have an IP. \S+ will handle both and Splunk is not outputting any additional errors in splunkd. 

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...