Splunk Search

How do I extract the timestamp from this log?

New Member

Hi All,

Kindly help to exaction the time stamp from the below log.

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs

We need to extract the bold time for particular host. How do you write the regular expression?

[host::1.1.1.1]
TIME_PREFIX = ?
MAX_TIMESTAMP_LOOKAHEAD = ?

Thanks advance

0 Karma

New Member

any help?

0 Karma

SplunkTrust
SplunkTrust

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = ([\r\n]+)\w+\s\d+\s\d+:\d+:\d+
SHOULD_LINEMERGE = False
TRUNCATE = 10000

0 Karma

New Member

i have to define in props.conf right , anything in transforms.conf?

0 Karma

SplunkTrust
SplunkTrust

Yes you define this in props.conf, make sure to replace my_sourcetype with your sourcetype name.. After you set this you have to restart splunkd

0 Karma

SplunkTrust
SplunkTrust

Did this solve your question? If so, can you accept it?

0 Karma

New Member

@skoelpin No 😞

0 Karma

SplunkTrust
SplunkTrust

If your just looking to extract the bold portion then the extraction will look like this

(?<NAME>\w+\s\d+\s+\d+:\d+:\d+)

0 Karma

New Member

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000

Should i try this ?

0 Karma

SplunkTrust
SplunkTrust

Is cisco:asa your sourcetype? If so then yes

Are you just trying to extract the bold part out or do you want it to timestamp correctly based off the second timestamp?

0 Karma

SplunkTrust
SplunkTrust

Can you elaborate more on what the issue is? The props.conf entry I provided you will work, I tested it!

0 Karma

Motivator

Hello

You just can use:

TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S

Regards

New Member

Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.

Help?

0 Karma

SplunkTrust
SplunkTrust

This is because you didn't specify the MAX_TIMESTAMP_LOOKAHEAD attribute. This defaults to 150 characters relative to your TIME_PREFIX attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in props.conf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!