×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kerne1
New Member
Member since: ‎11-15-2010
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-15-2010
Activity Feed
View All

Re: configuring TIME_FORMAT

by in Getting Data In
‎08-07-2012 06:53 AM
‎08-07-2012 06:53 AM
sorry for misleading, the html tags come from Markdown and doesn't belong to the config. this ist the log line: 12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443" this is the props.conf (I've removed the EXTRACT expression for clarity): [source::/var/log/access*] TIME_FORMAT = %y-%m-%d %H:%M:%S ... View more

configuring TIME_FORMAT

by in Getting Data In
‎08-07-2012 05:01 AM
‎08-07-2012 05:01 AM
Hello, our logs have ISO 8601 date format with shorted year (YY instead of YYYY): "12-08-06 04:42:10". It is 6 of August 2012 but Splunk think it is 12 of August 2006. I've added to props.conf: TIME_FORMAT = %y-%m-%d %H:%M:%S but this didn't change anything. the full config: [source::/var/log/access*] #12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443" EXTRACT-access = ^(?P<datestamp>[^ ]+) (?P<timestamp>[^ ]+) "(?P<auth_user>[^|])|(?P<profile>[^"])" (?P<src_ip>[^ ]+) "(?P<method>[A-Z]+) (?P<url>[^"]+)" TIME_FORMAT = %y-%m-%d %H:%M:%S any idea how to configure? thanks ... View more

adding a new log format: detect all the fields

by in Getting Data In
‎11-15-2010 06:44 PM
‎11-15-2010 06:44 PM
Hello, I am trying to add a new custom log format, so splunk can recognize all the fields in this log: #proxy_code c_ip "user" "profile" timestamp "url" http_status "user_agent" _time - 10.20.11.24 "user1" "profile1" [1/Nov/2010:11:44:51 +0100] "GET http://example.com/ HTTP/1.1" 200 "Mozilla/4.0" 1289818694 4 10.20.13.19 "user3" "profile2" [1/Nov/2010:11:44:54 +0100] "GET http://server1.com/ HTTP/1.1" 200 "Mozilla/4.0" 1289818697 - 10.20.12.16 "-" "-" [1/Nov/2010:11:44:54 +0100] "GET http://www.example2.com/ HTTP/1.1" 200 "Mozilla/4.0" 1289818697 80 19.55.54.22 "user10" "profile5" [1/Nov/2010:11:44:54 +0100] "GET http://abc.server.com/ HTTP/1.1" 200 "MSIE" 1289818697 to execute following queries: source=proxy profile=profile2 proxy_code=4 etc. my steps: -1. create new etc\apps\search\local\transforms.conf with a new sourcetype: [proxy] REGEX = ^([0-9\-]*) ([0-9\.]+) "([^"]+)" "([^"]+)" (\[[^\]+\]) ("[^"]+") ([0-9\-]+) ("[^"]+") ([0-9]*) FORMAT = proxy_code::$1 c_ip::$2 user::$3 profile::$4 timestamp::$5 url::$6 http_status::$7 user_agent::$9 _time::$14 -2. create etc\apps\search\local\inputs.conf: [nullPound] REGEX = ^\# DEST_KEY = queue FORMAT = nullQueue [monitor://c:\proxylogs] disabled = false followTail = 0 host = proxy sourcetype = proxy -3. create etc\apps\search\local\props.conf [proxy] TRANSFORMS-logformat = proxy -4. restart splunk I can find the events with sourcetype="proxy", but the fields are not recognized, for example c_ip="10.20.11.24" doesnt work. The comments are not removed despite of nullPound-rule in transforms.conf do I missing something? BR PS: ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM