Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing date, time and host in logs from sc4s

Adpafer
Loves-to-Learn Everything
‎12-18-2023 06:20 AM

Hi there,

Logs sent to SC4S include date, time and host in the event, however when they are sent to Indexer, the date, time and host are missing. How can I get them back so the logs will look exactly the same?

sc4s.jpgindexer.jpg

I would like date, time and host included in the event.

I appreciate any hints.

thanks and regards, pawelF

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-18-2023 02:03 PM

You need to look at how the input is processed and the definition of inputs.conf/props.conf for that linux sourcetype.

As you can see in that event example, the time in the log message is 15:04:57, but the time in the Splunk event is 15:03:57, i.e. a minute earlier - so that date is not the one being used when Splunk is ingested.

I am not familiar with SC4S, but has someone written a parser for that data - if so, it may be that the issue is at the SC4S parsing end.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...