Hi there,
I'm trying to import a log2timeline output (csv) into splunk, but timestamp detection fails, when I try to define a new sourcetype.
The time information is located at the line start an in the following format:
01/01/1970,00:00:00,UTC,...
I've already set the format for strptime to %m/%d/%Y,%H:%M:%S an tried automatic timestamp search as well as defining a regex.
But the only string which is highlighted (and detected as potential timestamp) ist 00:00:00.
Ipython tells that the format sting matches the timestamp:
In [11]: time.strptime("01/01/1970,00:00:00","%m/%d/%Y,%H:%M:%S")
Out[11]: time.struct_time(tm_year=1970, tm_mon=1, tm_mday=1, tm_hour=0, tm_min=0, tm_sec=0, tm_wday=3, tm_yday=1, tm_isdst=-1)
I also tried the following things:
Removing the "," between date and time
Adding a prefix to each line
Changing the dates to a day later than 01/01/1970
Swapping %m and %d just in case of any doubts
Installed Splunk version is 6.1.1
Does anybody have an idea what I can do that splunk correctly recognizes the time of the lines?
Kind regards in advance!
Markus
First lines of my log are:
01/01/1970,00:00:00,UTC,..C.,REG,NTUSER key : Typed Paths,Last Written,-,xxx,[\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]...
01/01/1970,00:00:00,UTC,..C.,REG,NTUSER key : RDP Connection,Last Written,-,xxx,[\Software\Microsoft\Terminal Server Client\Default] MRU1:...
01/01/1970,00:00:00,UTC,..C.,REG,NTUSER key : Typed Paths,Last Written,-,xxx,[\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths] ...
... View more