Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parse Log Messages

mspiegel
New Member
‎10-01-2010 10:04 PM

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

Tags (2)
0 Karma
Reply

southeringtonp
Motivator
‎10-01-2010 10:13 PM

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
     http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

     http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

southeringtonp
Motivator
‎10-05-2010 01:25 AM

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

Reply

mspiegel
New Member
‎10-04-2010 10:12 PM

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...