- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- custom datetime.xml is not working for me
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi guys
I have 2 different kind of events inside the same file. I am aware that I need to use a custom datetime.xml in order to recognize the timestamp of each sort of event. However it is not working for me.
These are the two kinds of events and I highlight in bold what should be recognized as the timestamp:
1081|2|20150512|436959|1660|0.00|1.00|0.00|4.5000|0|20
1081|2|436968|20150512|20150512|1336|1|1|000|0.00|0.00|3.20|5959|0034|G|0|20
This is what I coded in my new datetime.xml
<datetime>
<define name="_mc1" extract="year, month, day">
<![CDATA[^[^\|]*(\|[^\|]*)\|(\d\d\d\d)(\d\d)(\d\d)(\|[^\|]*){8}$]]>
</define>
<define name="_mc2" extract="year, month, day, hour, minute">
<![CDATA[^[^\|]*(\|[^\|]*){3}\|(\d\d\d\d)(\d\d)(\d\d)\|(\d\d)(\d\d)(\|[^\|]*){11}$]]>
</define>
<timePatterns>
<use name="_mc2"/>
</timePatterns>
<datePatterns>
<use name="_mc1"/>
<use name="_mc2"/>
</datePatterns>
</datetime>
and in my props.conf this is what I have:
[test]
SHOULD_LINEMERGE = false
MAX_EVENTS = 1
DATETIME_CONFIG = /etc/apps/testing/local/datetime.xml
TZ = Europe/Madrid
MAX_TIMESTAMP_LOOKAHEAD=100
any ideas why my code is not working??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I happened to find the solution and the source of the problem:
When doing the regex, every parenthesis is a capture group that will go into each of the timestamp variables.
I tried using ?: at the groups that I did not need to remember/capture and voila!! it works!!
This is it:
<datetime>
<define name="_mc1" extract="year, month, day">
<text><![CDATA[^[^\|]*(?:\|[^\|]*)\|(\d\d\d\d)(\d\d)(\d\d)(?:\|[^\|]*){8}$]]></text>
</define>
<define name="_mc2" extract="year, month, day, hour, minute">
<text><![CDATA[^[^\|]*(?:\|[^\|]*){3}\|(\d\d\d\d)(\d\d)(\d\d)\|(\d\d)(\d\d)(?:\|[^\|]*){11}$]]></text>
</define>
<timePatterns>
<use name="_mc2"/>
</timePatterns>
<datePatterns>
<use name="_mc1"/>
<use name="_mc2"/>
</datePatterns>
</datetime>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I happened to find the solution and the source of the problem:
When doing the regex, every parenthesis is a capture group that will go into each of the timestamp variables.
I tried using ?: at the groups that I did not need to remember/capture and voila!! it works!!
This is it:
<datetime>
<define name="_mc1" extract="year, month, day">
<text><![CDATA[^[^\|]*(?:\|[^\|]*)\|(\d\d\d\d)(\d\d)(\d\d)(?:\|[^\|]*){8}$]]></text>
</define>
<define name="_mc2" extract="year, month, day, hour, minute">
<text><![CDATA[^[^\|]*(?:\|[^\|]*){3}\|(\d\d\d\d)(\d\d)(\d\d)\|(\d\d)(\d\d)(?:\|[^\|]*){11}$]]></text>
</define>
<timePatterns>
<use name="_mc2"/>
</timePatterns>
<datePatterns>
<use name="_mc1"/>
<use name="_mc2"/>
</datePatterns>
</datetime>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The path /etc/apps/testing/local/datetime.xml looks like an absolute path from the filesystem root. Does changing it to etc/apps/testing/local/datetime.xml help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no, same thing. The location is not the problem
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
