Getting Data In

Why is timestamp not selecting proper field in syslog data after upgrade to 7.3.3?

scottrunyon
Contributor

My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour.
Data format is Month Date Time sent from command system, system name, 1, Logon Time
Examples
Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00
Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00
Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00

I want to use Logon Time as the event time not the time it was received.

This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue.

props file contains
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z
TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s
category = Custom
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 256
TIMESTAMP_FIELDS =

Any suggestions on what happened?

Scott

0 Karma
1 Solution

FrankVl
Ultra Champion

Try removing the blank DATETIME_CONFIG = setting.

View solution in original post

0 Karma

FrankVl
Ultra Champion

Try removing the blank DATETIME_CONFIG = setting.

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...