Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SA-Eventgen: detect timestamp in replay- vs. sample-mode

nekb1958
Path Finder
‎08-08-2013 03:25 AM

when i take my eventgen conf in sample-mode the timestamp is replaced with the actual time in the defined format. when i take the same conf and only change mode to replay, error:

ValueError: Can't find a timestamp (using patterns '['\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}']') in this event: '2012-01-30 23:59:04 QQc-O3J7xve CPUSys 1.046711451335729

what did i miss????

thanks for any help (i´m feeling stupid)
norbert

CONFIG 

[short.splunk]  
mode = sample

outputMode = file  
fileName = e://tmp/meas-all.log

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}  
token.0.replacementType = timestamp  
token.0.replacement = %b %d %H:%M:%S

DATA (== short.splunk)

2012-01-30 23:59:04 QQc-O3J7xve CPUUser 2.3843930719158464

2012-01-30 23:59:04 QQc-O3J7xve CPUSys 1.046711451335729

2012-01-30 23:59:04 sIkqmRX7zai CPUUser 0.57221331953932253

2012-01-30 23:59:04 sIkqmRX7zai CPUSys 0.37301278622911521

2012-01-30 23:59:02 QQc-O3J7xve MemFree 4326506496

2012-01-30 23:59:02 sIkqmRX7zai MemFree 3537133568

2012-01-30 23:58:04 sSGBns8SkM7 CPUUser 0.74475287745429919

2012-01-30 23:58:04 sSGBns8SkM7 CPUSys 0.56507473569084943

2012-01-30 23:58:02 sSGBns8SkM7 MemFree 7351476224

Tags (1)
0 Karma
Reply

fortiwhall
Explorer
‎10-17-2014 01:19 PM

I was having the hardest time with this today - thank you for the tip, @nekb1958.

I had switched from "sample" to "replay" as well and kept getting the same error over and over. I didn't understand @nekb1958's answer at first, but now I see what I'm supposed to do. I'm documenting it further below.

In my example, the timestamp looked like this:

Oct 16 10:59:54

In SAMPLE mode, you would use the three lines as follows, where the token regex is completely separate from the replacement format. 

token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.2.replacementType = timestamp  
token.2.replacement = %d/%b/%Y:%H:%M:%S.%f

Here, the token does not need to match the replacement - the replacement variable is the POSIX format of the timestamp you want EventGen to insert into the result, while the token is the string you want to match. In the above case, I changed the timestamp to a new format just as an example.

In REPLAY mode, however, it seems the token regex and the replacement need to match.

token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}  
token.0.replacementType = timestamp  
token.0.replacement = %b %d %H:%M:%S

That way, it knows where to look for a timestamp (via token regex) and it knows the POSIX format of the timestamp (via replacement format).

0 Karma
Reply

nekb1958
Path Finder
‎08-08-2013 05:00 AM

feeling stupid?

reading helps 😞

token.0.replacement = %b %d %H:%M:%S

isn´t (like i thought) the format (strptime) of the replaced timestamp, NO it is the format of the "input". stupid? yes 🙂

bye norbert

Reply

nekb1958
Path Finder
‎08-08-2013 05:41 AM

my original timestamp is in epoch, taking token.0.replacement = %s detect the right value, but has a problem to print epoch in replacement.
2013-08-08 14:33:37,548 DEBUG Match '1325372400' Format '%s' result: '2012-01-01 00:00:00'
2013-08-08 14:33:37,548 DEBUG Match '1325372402' Format '%s' result: '2012-01-01 00:00:02'

...
File "C:\Program Files\Splunk\etc\apps\SA-EventGen\lib\eventgensamples.py", line 921, in _getReplacement
replacementTime = replacementTime.strftime(self.replacement)
ValueError: Invalid format string

ok, now i know what works.

norbert

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...