Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timestamp issue with firewall logs

tkerr1357
Path Finder
‎11-06-2020 08:03 AM

Hi all,

 

still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using 

TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S
TIME_PREFIX = ^\s*<\d{3}>

which was suggested in another fortigate ticket without any luck. Any help is appreciated. 

11/6/20
5:00:00.000 AM
 
<189>logver=602055878 timestamp=1604673601 tz="UTC-5:00" devname="RNHN-FW1800F" devid="FG181FTK20900192" vd="CORP" date=2020-11-06 time=09:40:01 logid="0001000014" type="traffic" subtype="local" level="notice" eventtime=1604673601539310045 tz="-0500" srcip=87.251.80.10 srcport=53887 srcintf="FairPoint_WAN_B" srcintfrole="wan" dstip=71.181.10.217 dstport=2256 dstintf="unknown0" dstintfrole="undefined" sessionid=45763314 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/2256" dstcountry="United States" srccountry="Russian Federation" trandisp="noop" app="tcp/2256" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" mastersrcmac="02:00:40:05:26:15" srcmac="02:00:40:05:26:15" srcserver=1
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2020 08:43 AM

The TIME_PREFIX value does not match the example data.  Try these settings

TIME_FORMAT = %Y-%m-%d time=%H:%M:%S
TIME_PREFIX = date=
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...