Splunk Search

date_* fields not being extracted

Splunk Employee
Splunk Employee

i have events that look like this:

CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SescLU.exe"|High| eventId=5480802 externalId=0E68DF150A0064A4000A5EDF35775715 start=1290620312000 end=1290620312000 art=1290622138975 deviceSeverity=7 rt=1290622392494 dhost=IL06TR3534M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci456trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/SescLU.exe cs2=gsgdg cs1Label=Rule Name cs2Label=Site Name ahost=il02cdgdgsadgpp23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Medfgdfrfgck adfgndfd fCdfo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQioBAjhgfBCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=17653876548768 ad.GROUP__ID.c=262887CD380ABC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620312000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 

CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"|High| eventId=5480801 externalId=14B8F26D0A0064A4000A5EDF382EDBF5 start=1290620393000 end=1290620393000 art=1290622138975 deviceSeverity=7 rt=1290622392479 dhost=IL06TR345M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci64trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/Smc.exe cs2=hfghgf cs1Label=Rule Name cs2Label=Site Name ahost=il02csgfagppdg23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Merdgckgd agdgnd dgCo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQiojhgfdBABCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=1765876538768 ad.GROUP__ID.c=2628CD380A87BC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620393000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458

Why do the date_* field not get extracted? For a different source i get the extraction just fine (see below). Hence this has to do with the events themselves.

date_hour (n) (6)
date_mday (n) (1)
date_minute (n) (60)
date_month (1)
date_second (n) (60)
date_wday (1)
date_year (n) (1)
date_zone (1)

Also, how can i populate them, if i needed to use them?

Cheers.

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

From what i understand, the fields date_* are actually fields that are extracted when splunk parses the timestamp from the events themselves. Since these events have no timestamp associated to them, these fields do not get populated.

If one wanted to use such fields they can extract and populate them using

 | eval date_mday=strftime(_time, "%d")

The above, for example would extract the actual day of the month and populate it inside the date_mday field...

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

From what i understand, the fields date_* are actually fields that are extracted when splunk parses the timestamp from the events themselves. Since these events have no timestamp associated to them, these fields do not get populated.

If one wanted to use such fields they can extract and populate them using

 | eval date_mday=strftime(_time, "%d")

The above, for example would extract the actual day of the month and populate it inside the date_mday field...

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

i dont think the customer cared for those epoch timestamps, they were fine with the timestamp becoming the actual index time, but still wanted to extract the "Day" field..

0 Karma

Splunk Employee
Splunk Employee

Seems to me there are various epoch timestamps in the event data that should have been picked up. Perhaps setting a higher MAX_TIMESTAMP_LOOKAHEAD or a TIME_PREFIX would help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!