Getting Data In

Why is the Symantec time_format not working?

pfabrizi
Path Finder

I am trying to set the time format from our Symantec events to the value of 'occurred_on' in my props.conf.

here is the event string:
",occurred_on="March 2, 2018 6:50:14 AM",

here is how time is displayed:
3/2/18
6:50:27.000 AM

Here is my props.conf:

[symantec]

TIME_PREFIX = occurred_on=\"([A-Za-z]+\s\d{1,2},\s\d{4}\s\d{1,2}:\d{1,2}:\d{1,2})
TIME_FORMAT = %B %d, %Y %H:%M:%S

I changed the time_prefix last night to what it was. I did have it earlier as [A-Za-z\s,0-9:]+

each of these expressions worked in regex101, I changed to what it is now because I only wanted to grab the time minus the am\pm.

I have deployed and also restarted splunk on my devices.

any thought on what I am doing wrong or even how to debug these.

Thanks!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The TIME_PREFIX attribute should contain a regular expression describing what comes before the timestamp. In your case it should be TIME_PREFIX = occurred_on=\".
Your TIME_FORMAT setting doesn't quite match your sample event. Try %B %d, %Y %H:%M:%S %p. If you leave out the "%p", Splunk will interpret "6:50:27 AM" and "6:50:27 PM" as 06:50:27, which probably is not what you want.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The TIME_PREFIX attribute should contain a regular expression describing what comes before the timestamp. In your case it should be TIME_PREFIX = occurred_on=\".
Your TIME_FORMAT setting doesn't quite match your sample event. Try %B %d, %Y %H:%M:%S %p. If you leave out the "%p", Splunk will interpret "6:50:27 AM" and "6:50:27 PM" as 06:50:27, which probably is not what you want.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

pfabrizi
Path Finder

this is not working.

I am still seeing the time off,

occurred_on="March 2, 2018 3:22:10 PM"
is showing as 3:22:16 000 PM

so there is a 6+ second difference.

the text occurred_on starts at position 1165 and ends around 1204. Does this create an issue?

0 Karma

gjanders
SplunkTrust
SplunkTrust

As per the date and time format variable documentation , I think your TIME_FORMAT is close but not quite right!

Try:

TIME_FORMAT = %B %e, %Y %I:%M:%S %p

I'm not 100% sure that is correct but I think it's closer...your splunkd log files should inform you if the timestamp parsing is not working as expected

From the documentation:
%e "Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31) "
%I "Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. "

0 Karma

pfabrizi
Path Finder

Thanks!

Dio you recommend the trouble shooting class? Will that help with this stuff?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Which troubleshooting class? I'd recommend reading the splunkd logs carefully, I even built an application to detect various errors in the logs called Alerts For Splunk Admins

Although in this case the alerts would just find the date parsing not working, the documentation for Splunk is also quite useful here...

0 Karma

pfabrizi
Path Finder

can you explain what the %Y:%M:%S is?

I thought %M and %S where minutes and seconds?

What about the hour?

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry, I did leave out the hour. I've corrected my answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!