Kindly help to exaction the time stamp from the below log.
Aug 23 05:10:50 18.104.22.168 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:22.214.171.124/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs
We need to extract the bold time for particular host. How do you write the regular expression?
TIME_PREFIX = ?
MAX_TIMESTAMP_LOOKAHEAD = ?
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000
Should i try this ?
Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50
Aug 23 05:10:50 126.96.36.199 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:188.8.131.52/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.
This is because you didn't specify the
MAX_TIMESTAMP_LOOKAHEAD attribute. This defaults to 150 characters relative to your
TIME_PREFIX attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in