Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to extact multiple timestamp formats for syslog input

alextsui
Path Finder
‎01-31-2011 07:12 AM

Hi, I have setup Splunk to listen on udp:514 for syslog input and run into a problem when some logs have single timestamp information and others have multiple timestamp information within the logs.

sample log 1 : Jan 31 14:45:17 10.10.10.11 postfix/cleanup[32495]:.........(omitted)

sample log 2 : Jan 31 14:46:12 10.10.10.10 Jan 31 14:50:50 Forwarded........(omitted)

I need to extract the second timestamp in sample log 2 (10.10.10.10 is extracted to be the host by Splunk) and have tried using the following configuration without success.

inputs.conf-

[udp://514]
disabled = false
connection_host = ip
sourcetype = syslog

props.conf -

[host::10.10.10.10]
TIME_PREFIX = \w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+
TIME_FORMAT = %b %d %T
MAX_TIMESTAMP_LOOKAHEAD = 50

From another Splunk Answers post "How to Configure timestamps for events with multiple timestamps" gkanapathy mentioned "it is very likely that the host that you see in the event (foo.bar.com) is being set because your sourcetype is syslog. the actual host for a syslog event may or may not be the same". If this were true how do I apply the timestamp extraction config by host? OR is there a workaround?

Thanks.

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2011 06:21 PM

If there are multiple timestamps, you can use a custom DATETIME_CONFIG instead of specifying TIME_FORMAT and TIME_PREFIX. This is not heavily documented, but basically, you create a custom version of the $SPLUNK_HOME/etc/datetime.xml file (remove the default patterns, and insert the specific patterns that you want to match), then set DATETIME_CONFIG to point to this new custom file instead of using TIME_FORMAT/TIME_PREFIX.

Note that if TIME_FORMAT fails to match or is not specified, Splunk will fall through and try the DATETIME_CONFIG file to find a timestamp in an event. The default Splunk datetime.xml has several common patterns, and is what is used by Splunk to "guess" at timestamps in an event. If you have a specific set of patterns, you can make the timestamp extraction more precise, more controlled, and less CPU-intensive (and faster) with a custom DATETIME_CONFIG.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-01-2011 05:14 PM

You can apply it to the hosts, provided you know the host name ahead of time, and it's the host name that Splunk sees coming in before any TRANSFORMS are applied. Note that syslog sourcetypes usually TRANSFORM the host to whatever is in the event text, so what is indexed is not what Splunk sees coming in.

0 Karma
Reply

alextsui
Path Finder
‎02-01-2011 08:52 AM

Can I apply the DATETIME_CONFIG to hosts in the props.conf? For exampel:
[host::10.10.10.10]
DATETIME_CONFIG = /datetime.xml

I thought the problem was not able to apply to host becuase the host name may or may not be the ones I see on the search apps' main dashboard?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...