Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk VPC timestamp issue

General_Talos
Path Finder
‎07-14-2021 04:59 AM

Hey,

I am sure many of you, who have VPC logs on Splunk have came across this issue. 

Raw Log

2 unknown eni-xxxxxxxxxxxxx 192.168.0.10 192.168.0.15 3558 6443 6 9 1196 1625657222 1625657282 ACCEPT OK

Text highlighted in red is event start_time, and I want to replace it with _time

my props.conf

 

[aws:cloudwatchlogs:vpcflow]
TIME_FORMAT = %s
SHOULD_LINEMERGE = false
TIME_PREFIX = ^(?>\S+\s){10}
MAX_TIMESTAMP_LOOKAHEAD = 10

 

Still no luck 😞

General_Talos_0-1626263811814.png

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2021 05:15 AM

Try this

TIME_PREFIX = (\S+\s+){10}
0 Karma
Reply

General_Talos
Path Finder
‎07-14-2021 10:58 AM

Hello @ITWhisperer , thks for sharing. Still the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...