Splunk Search

How do I extract the timestamp from this log?

sumitkathpal292
New Member

Hi All,

Kindly help to exaction the time stamp from the below log.

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs

We need to extract the bold time for particular host. How do you write the regular expression?

[host::1.1.1.1]
TIME_PREFIX = ?
MAX_TIMESTAMP_LOOKAHEAD = ?

Thanks advance

0 Karma

sumitkathpal292
New Member

any help?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = ([\r\n]+)\w+\s\d+\s\d+:\d+:\d+
SHOULD_LINEMERGE = False
TRUNCATE = 10000

0 Karma

sumitkathpal292
New Member

i have to define in props.conf right , anything in transforms.conf?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes you define this in props.conf, make sure to replace my_sourcetype with your sourcetype name.. After you set this you have to restart splunkd

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did this solve your question? If so, can you accept it?

0 Karma

sumitkathpal292
New Member

@skoelpin No 😞

0 Karma

skoelpin
SplunkTrust
SplunkTrust

If your just looking to extract the bold portion then the extraction will look like this

(?<NAME>\w+\s\d+\s+\d+:\d+:\d+)

0 Karma

sumitkathpal292
New Member

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000

Should i try this ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Is cisco:asa your sourcetype? If so then yes

Are you just trying to extract the bold part out or do you want it to timestamp correctly based off the second timestamp?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Can you elaborate more on what the issue is? The props.conf entry I provided you will work, I tested it!

0 Karma

gfuente
Motivator

Hello

You just can use:

TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S

Regards

sumitkathpal292
New Member

Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.

Help?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is because you didn't specify the MAX_TIMESTAMP_LOOKAHEAD attribute. This defaults to 150 characters relative to your TIME_PREFIX attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in props.conf

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...