Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extract and Format Time Stamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field Extract and Format Time Stamp
Hi All.
How to break this log block so that it reads each row as an event, and this log is not in timestamp format?
The date would be the start and end of the user session on the system.
The following is an example of the log:
cod|user |system |day|month|year|hour|minute|day|month|year|hour|minute
001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cis2121000 |01|03|18|10|46|01|03|18|10|46 001|00129810|cisli2100m000 |01|03|18|10|46|01|03|18|10|46 001|00821888|cis0121000 |01|03|18|10|46|01|03|18|10|46 001|user001 |cis2200000 |01|03|18|10|46|01|03|18|10|46
Do I have to configure in props.conf and transform.conf by sourcetype?
REGEX = = (.{3}).(.{8}).(.{16}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2}).(.{2})
FORMAT = emp::$1 user::$2 session_id::$3 datei_mday::$4 datei_month::$5 datei_year::$6 datei_hour::$7 datei_minute::$8 datef_mday::$9 datef_month::$10 datef_year::$11 datef_hour::$12 datef_minute::$13
I tried to create this REGEX, but it did not work.
Can you help me please?
Best Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have multiple events using the same line, then you should use the props that should look something like this:
props.conf:
[sourcetype]
TIME_PREFIX = depends on the timestamp you want
TIME_FORMAT = not sure what time you want to use - initial or final
MAX_TIMESTAMP_LOOKAHEAD = ?
SHOULD_LINEMERGE = true
LINE_BREAKER = |\d{2}(\s)\d+
TRUNCATE = 50000
REPORT-extraction = your_extraction
transfoms.conf:
[your_extraction]
DELIMS = "|"
FIELDS = emp, user, session_id, datei_mday, datei_month, datei_year, datei_hour, datei_minute, datef_mday, datef_month, datef_year, datef_hour, datef_minute
Hope it works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. I'll test and return with the result.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set below in props.conf:
SHOULD_LINEMERGE = false
it will separate each line as an event
SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
multi-line event, based on the following configuration attributes.
* Defaults to true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. I'll test and return with the result.
Thanks in advance.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
