Security

Parse Log Messages

mspiegel
New Member

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

Tags (2)
0 Karma

southeringtonp
Motivator

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
     http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

     http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma

southeringtonp
Motivator

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

mspiegel
New Member

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...