Splunk Search

How do I extract the timestamp from this log?

New Member

Hi All,

Kindly help to exaction the time stamp from the below log.

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs

We need to extract the bold time for particular host. How do you write the regular expression?

[host::1.1.1.1]
TIME_PREFIX = ?
MAX_TIMESTAMP_LOOKAHEAD = ?

Thanks advance

0 Karma

New Member

any help?

0 Karma

SplunkTrust
SplunkTrust

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = ([\r\n]+)\w+\s\d+\s\d+:\d+:\d+
SHOULD_LINEMERGE = False
TRUNCATE = 10000

0 Karma

New Member

i have to define in props.conf right , anything in transforms.conf?

0 Karma

SplunkTrust
SplunkTrust

Yes you define this in props.conf, make sure to replace my_sourcetype with your sourcetype name.. After you set this you have to restart splunkd

0 Karma

SplunkTrust
SplunkTrust

Did this solve your question? If so, can you accept it?

0 Karma

New Member

@skoelpin No 😞

0 Karma

SplunkTrust
SplunkTrust

If your just looking to extract the bold portion then the extraction will look like this

(?<NAME>\w+\s\d+\s+\d+:\d+:\d+)

0 Karma

New Member

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000

Should i try this ?

0 Karma

SplunkTrust
SplunkTrust

Is cisco:asa your sourcetype? If so then yes

Are you just trying to extract the bold part out or do you want it to timestamp correctly based off the second timestamp?

0 Karma

SplunkTrust
SplunkTrust

Can you elaborate more on what the issue is? The props.conf entry I provided you will work, I tested it!

0 Karma

Motivator

Hello

You just can use:

TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S

Regards

New Member

Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.

Help?

0 Karma

SplunkTrust
SplunkTrust

This is because you didn't specify the MAX_TIMESTAMP_LOOKAHEAD attribute. This defaults to 150 characters relative to your TIME_PREFIX attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in props.conf

0 Karma