The device is not sending the logs directly to splunk server. Instead i have a csv log file which i let rsyslog (on another ubuntu system) send to the splunk server. Hence the _time value is the rsyslog transmit time, whereas the Time is the actual log timestamp.
Sample log (1 event) below:
<133>Oct 23 07:25:25 ubuntu CPFW, 217,26Oct2017,23:59:00,eth1-02,10.2.2.189,Log,Accept,53,54080,10.28.0.16,165.21.100.88,udp,203,,203-CBIG-SIN-Consolidation,,service_id: domain-udp,Security Gateway/Management,,
rsyslog time is Oct 23 07:25:25 = _time
actual log time is 23:59:00 = Time
I have used field extraction feature of splunk to specify the comma delimited nature of the log. The result of the field extraction is shown in my original post.
Below props.conf file from Splunk/etc/system/local
[Hostnames]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[CBIG-SIN_Log1 Updated]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[csv]
DATETIME_CONFIG =
FIELD_DELIMITER = space
FIELD_QUOTE = "
NO_BINARY_CHECK = true
disabled = false
[CBIG_SING_Log1]
DATETIME_CONFIG =
FIELD_DELIMITER = space
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[test1]
DATETIME_CONFIG =
FIELD_DELIMITER = ,
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[test]
DATETIME_CONFIG =
FIELD_DELIMITER = ,
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[CBIG_SIN]
DATETIME_CONFIG =
FIELD_DELIMITER = space
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[cbig_sin]
DATETIME_CONFIG =
FIELD_DELIMITER = space
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[access_combined1]
DATETIME_CONFIG =
FIELD_DELIMITER = ,
FIELD_QUOTE = "
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
edit: sourcetype for the events we are referring in this question is 'cplogs'.. which can't be seen in props.conf
... View more