Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parse Log Messages

mspiegel
New Member
‎10-01-2010 10:04 PM

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

Tags (2)
0 Karma
Reply

southeringtonp
Motivator
‎10-01-2010 10:13 PM

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
     http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

     http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

southeringtonp
Motivator
‎10-05-2010 01:25 AM

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

Reply

mspiegel
New Member
‎10-04-2010 10:12 PM

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...