Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Read timezone from openvas logs? Regex, strftime, won't detect it.

JSkier
Communicator
‎04-24-2018 02:30 PM

I'm inputting openvas logs into splunk. Works great for .messages, not so much for .log files. Below is how the lines look:

Info<18 chars pos>2018-04-23 23h04.55 utc:31730 SOME MESSAGE
Info<18 chars pos>2018-04-24 10h25.34 CDT:539 SOME MESSAGE

So, time zone starts at the 18 character. Splunk cannot read it no matter how far I go.

Timestamp prefix regex:
^.{18}\K
I also tried the more pythonic way of doing this regex:
^.{18}
Still can't get it detected in splunk, so I added strftime:
%Y-%M-%d %Hh%M.%S %Z:%s

Any ideas on how to get the timestamp recognized correctly in splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-24-2018 03:42 PM

The correct settings on your indexers would be this (in #props.conf):

TIME_PREFIX = chars\s+pos\>
TIME_FORMAT = %Y-%m-%d %Hh%m.%S %Z:%N
MAX_TIMESTAMP_LOOKAHEAD = 29

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-24-2018 03:43 PM

Your mistake was using %M twice; that is totally invalid.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-24-2018 03:42 PM

The correct settings on your indexers would be this (in #props.conf):

TIME_PREFIX = chars\s+pos\>
TIME_FORMAT = %Y-%m-%d %Hh%m.%S %Z:%N
MAX_TIMESTAMP_LOOKAHEAD = 29
0 Karma
Reply
Solved! Jump to solution

JSkier
Communicator
‎04-25-2018 06:18 AM

This got me on the right path, thank you!

UPDATE: Removed %N, it is not actually seconds.
UPDATE2: Turns out some timestamps start 19 chars in, I have updated the props below to reflect this. The log source timestamps are a mess (some local tz, others utc), splunk isn't able to differentiate them, so I removed the TZ from the format. It will require a few source types to get it to a very clean place.

Timezone stuff is still weird, so it will need more tuning there on my end, but this ended up working for parsing:

SHOULD_LINEMERGE = false
TIME_PREFIX = ^\w+\s{1,5}\w+:(\s+\w+|\w+):
TIME_FORMAT = %Y-%m-%d %Hh%M.%S
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...