×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
yhetti
New Member
Member since: ‎01-31-2024
‎02-10-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-31-2024
Activity Feed
Topics I've Started
View All

Re: HELP with CEF CSV time format

by in Knowledge Management
‎02-10-2024 11:50 AM
‎02-10-2024 11:50 AM
Thank You for replying: I am totally new to this so I don't have the domain knowledge. I believe it is indexed extractions. As far as the extraction configuration it shows _time, _raw   again I am a total noob - I appreciate any assistance.  ... View more

HELP with CEF CSV time format

by in Knowledge Management
‎01-31-2024 02:06 PM
‎01-31-2024 02:06 PM
I am new to splunk and I have inherited a system that forwards log in CEF CSV format.  These logs are then tar'd up and sent to the distant end (which does happen successfully).  The issue I have is when the splunk server picks up the CEF CSV it has epoch time as the first entry of every log in the CEF CSV file.  This makes the next hop/stop aggregator I send to unhappy.   original host (forwarder) -> splunk host -> splunk host -> master aggregator (arcsight type server) example: 1706735561, "blah blah blah" the file cef.csv says it's doing "_time","_raw" When I look at what I think is the setup for time (etc/datetime.xml), _time does not have anything about epoch or %s in there. How do I configure the CEF CSV to omit the epoch time? As I mentioned earlier, I am totally new to splunk.  Any help would be fantastic. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-10-2024 03:33 PM