Activity Feed
- Karma Cannot open search on Splunk Dashboard Studio for POR160893. 12-10-2023 07:59 AM
- Karma Re: How to modify syslog source type to handle rfc3339 timestamp? for richgalloway. 12-04-2023 08:28 PM
- Got Karma for How to modify syslog source type to handle rfc3339 timestamp?. 06-08-2022 07:29 AM
- Posted Search for a field which is NOT success from multi-value field on Splunk Search. 08-16-2020 09:28 PM
- Tagged Search for a field which is NOT success from multi-value field on Splunk Search. 08-16-2020 09:28 PM
- Posted How to modify syslog source type to handle rfc3339 timestamp? on Getting Data In. 04-25-2020 08:45 AM
- Tagged How to modify syslog source type to handle rfc3339 timestamp? on Getting Data In. 04-25-2020 08:45 AM
- Tagged How to modify syslog source type to handle rfc3339 timestamp? on Getting Data In. 04-25-2020 08:45 AM
- Tagged How to modify syslog source type to handle rfc3339 timestamp? on Getting Data In. 04-25-2020 08:45 AM
- Posted Re: how to delete old date from splunk on Knowledge Management. 07-10-2019 11:22 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 |
08-16-2020
09:28 PM
Using `transaction` to trace email delivery through a chain of postfix relays, and I end up with a transaction where each relay reported a `status=`. In the normal case all of these are `status=sent` but now and then I see `status=bounced` or `status=deferred`. How do I search for the non-success `status` when there are multiple success ones and only one non-success. If I add `| search NOT status=sent` to the search, nothing gets matched because there is almost always a `status=sent`. Sadly, `| search status != sent` seems to behave the same way. I could list all the other possible values so I can have `| search status=bounced OR status=deferred` but this not what I am looking for.
... View more
- Tags:
- multivalue
04-25-2020
08:45 AM
1 Karma
We pass messages with rsyslog using the rfc3339 time format. It has microseconds, and it has a timestamp. But noticed a few issues:
The time zone is not parsed out of the message. If I remove the microseconds from the timestamp, it would work fine.
The host does not get parsed out. Seems to be a problem with the syslog-host transform which does not like the timezone. Dropping the timezone fixes this problem but I would rather keep it.
What would be the best way to proceed?
Modify the syslog source type?
Create a new source type?
Report the issue and hope for a fix?
... View more
07-10-2019
11:22 PM
First link has been moved to https://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk
... View more
