Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing date, time and host in logs from sc4s

Adpafer
Loves-to-Learn Everything
‎12-18-2023 06:20 AM

Hi there,

Logs sent to SC4S include date, time and host in the event, however when they are sent to Indexer, the date, time and host are missing. How can I get them back so the logs will look exactly the same?

sc4s.jpgindexer.jpg

I would like date, time and host included in the event.

I appreciate any hints.

thanks and regards, pawelF

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-18-2023 02:03 PM

You need to look at how the input is processed and the definition of inputs.conf/props.conf for that linux sourcetype.

As you can see in that event example, the time in the log message is 15:04:57, but the time in the Splunk event is 15:03:57, i.e. a minute earlier - so that date is not the one being used when Splunk is ingested.

I am not familiar with SC4S, but has someone written a parser for that data - if so, it may be that the issue is at the SC4S parsing end.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...