My events have two different times in them, one from when the dns server processed them, and then another is added to the beginning of the events from what I assume is splunk. I want splunk to treat the second time as the events timestamp. I have manually assigned the sourcetype for the port as dns_data. Here is part of my props.conf file from $SPLUNK_HOME/etc/sys/local:
props.conf--
[sourcetype::dns_data]
TIME_PREFIX = \w+ \d+ \d\d:\d\d:\d\d foo\.bar\.com
TIME_FORMAT = %b %d %H:%M:%S %Y
Here are some events:
Jun 23 16:29:19 foo.bar.com Wed Jun 23 16:27:15 2010: 123.123.123.123 -> 321.321.321.321: 52826 NOERR 'something.somewhere.com.' A IN (n#5) (x#9)
Jun 23 16:29:19 foo.bar.com Wed Jun 23 16:27:15 2010: 123.123.231.321 -> 25.321.321.31: 1572 NOERR 'something.somewhere.com.' AAAA IN (x#1)
Jun 23 16:29:19 foo.bar.com Wed Jun 23 16:27:15 2010: 213.213.21.231 -> 123.123.123.123: 25373 NOERR 'something.somewhere.com.' A IN (a#1) (n#6) (x#11) ANS 'something.somewhere.com. A IN 21.231.231.21
Any help would be appreciated.
Thanks.
... View more