Re: HELP with CEF CSV time format

yhetti · ‎01-31-2024

I am new to splunk and I have inherited a system that forwards log in CEF CSV format. These logs are then tar'd up and sent to the distant end (which does happen successfully). The issue I have is when the splunk server picks up the CEF CSV it has epoch time as the first entry of every log in the CEF CSV file. This makes the next hop/stop aggregator I send to unhappy.

original host (forwarder) -> splunk host -> splunk host -> master aggregator (arcsight type server)

example:

1706735561, "blah blah blah"

the file cef.csv says it's doing "_time","_raw"

When I look at what I think is the setup for time (etc/datetime.xml), _time does not have anything about epoch or %s in there.

How do I configure the CEF CSV to omit the epoch time?

As I mentioned earlier, I am totally new to splunk. Any help would be fantastic.

PickleRick · ‎01-31-2024

1. Do you use indexed extractions or not?

2. Do you have time extraction properly configured (TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD)?

yhetti · ‎02-10-2024

Thank You for replying:

I am totally new to this so I don't have the domain knowledge.

I believe it is indexed extractions.

As far as the extraction configuration it shows _time, _raw

again I am a total noob - I appreciate any assistance.

HELP with CEF CSV time format

workflow action

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation