Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timestamp issue with firewall logs

tkerr1357
Path Finder
‎11-06-2020 08:03 AM

Hi all,

 

still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using 

TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S
TIME_PREFIX = ^\s*<\d{3}>

which was suggested in another fortigate ticket without any luck. Any help is appreciated. 

11/6/20
5:00:00.000 AM
 
<189>logver=602055878 timestamp=1604673601 tz="UTC-5:00" devname="RNHN-FW1800F" devid="FG181FTK20900192" vd="CORP" date=2020-11-06 time=09:40:01 logid="0001000014" type="traffic" subtype="local" level="notice" eventtime=1604673601539310045 tz="-0500" srcip=87.251.80.10 srcport=53887 srcintf="FairPoint_WAN_B" srcintfrole="wan" dstip=71.181.10.217 dstport=2256 dstintf="unknown0" dstintfrole="undefined" sessionid=45763314 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/2256" dstcountry="United States" srccountry="Russian Federation" trandisp="noop" app="tcp/2256" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" mastersrcmac="02:00:40:05:26:15" srcmac="02:00:40:05:26:15" srcserver=1
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 08:43 AM

The TIME_PREFIX value does not match the example data.  Try these settings

TIME_FORMAT = %Y-%m-%d time=%H:%M:%S
TIME_PREFIX = date=
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...