×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
rid1
New Member
Member since: ‎02-26-2018
‎06-05-2020
Community Statistics
Posts 12
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-26-2018
Activity Feed
View All

Re: converting splunks time

by in Splunk Enterprise
‎03-06-2018 12:21 AM
‎03-06-2018 12:21 AM
the 1st until 3rd line, I dont understand. is that a spl query? ... View more

Re: converting splunks time

by in Splunk Enterprise
‎03-06-2018 12:19 AM
‎03-06-2018 12:19 AM
| makeresults | eval time="\"timestamp_mrt\": \"2017-12-03T15:30:36.208Z\"" | rex field=time mode=sed "s/(\"timestamp_mrt\":\s\"[^(T|Z)]+)(T|Z)([^(T|Z)]+)(T|Z)/\1 \3/g" this part I dont understand, is it the spl query? ... View more

Re: converting splunks time

by in Splunk Enterprise
‎03-05-2018 10:48 PM
‎03-05-2018 10:48 PM
yes, expecting it to be my time, but also I want to change the format. without the "T" and "Z". like this "timestamp_mrt": "2017-03-12 15:30:36.208" ... View more

Re: converting splunks time

by in Splunk Enterprise
‎03-05-2018 10:46 PM
‎03-05-2018 10:46 PM
it works in spl search query but I need the latter format when I finish loading the log. Is there anyway to do this? so splunk result will show "timestamp_mrt": "2017-03-12 15:30:36.208" this one instead (something like parsing done during loading) ... View more

Re: converting splunks time

by in Splunk Enterprise
‎03-05-2018 10:33 PM
‎03-05-2018 10:33 PM
apologise, where should I put those? in props file? ... View more

converting splunks time

by in Splunk Enterprise
‎03-05-2018 10:21 PM
‎03-05-2018 10:21 PM
Hi there, I have log with format like this "timestamp_mrt": "2017-12-03T15:30:36.208Z" but I would like to change the output becoming "timestamp_mrt": "2017-03-12 15:30:36.208" Do I need to convert to something first before converting to that desired result? *edit I tried with adding the Timestamp format %Y-%m-%d\s%H:%M:%S.%3Q but got an error saying "could not use strp time to parse ..." Thx ... View more

Re: How to configure Splunk to use a timestamp fie...

by in Splunk Search
‎02-26-2018 11:51 PM
‎02-26-2018 11:51 PM
Thank you guys ... View more

Re: How to configure Splunk to use a timestamp fie...

by in Splunk Search
‎02-26-2018 11:51 PM
‎02-26-2018 11:51 PM
perfect! as @deepashri_123 and you recommended to apply to new events. ... View more

Re: How to configure Splunk to use a timestamp fie...

by in Splunk Search
‎02-26-2018 10:02 PM
‎02-26-2018 10:02 PM
still giving my "timestamp = none" thus I tried to find the log with condition of search 2nd dec 2017 to 4th dec 2017, still give me nothing. ... View more

Re: How to configure Splunk to use a timestamp fie...

by in Splunk Search
‎02-26-2018 10:00 PM
‎02-26-2018 10:00 PM
I tried both method but I still can't search for the log with - search is * -condition between 2 dec 2017 to 4th dec 2017 ... View more

Re: How to configure Splunk to use a timestamp fie...

by in Splunk Search
‎02-26-2018 09:55 PM
‎02-26-2018 09:55 PM
new sourcetype created, and below were added, service restarted. TIME_PREFIX = \"timestamp_mrt\": TIME_FORMAT = %m/%d/%Y I still can't query based on the time which is 3rd december 2017. here is some result after prefix were added: @timestamp 2017-12-03T15:30:36.208Z timestamp none timestamp_mrt 2017-12-03T15:30:36.208Z ... View more

How to configure Splunk to use a timestamp field i...

by in Splunk Search
‎02-26-2018 05:48 PM
‎02-26-2018 05:48 PM
Hi, I'm new in Splunk, hope you can guide step by step please. How do I map or link a timestamp field (eg. timestamp_mrt) into _time so I can search on it? Right now my timestamp is none. Here the log that I loaded into Splunk { "received_bytes": "28942", "srcip": "***************", "src_port": "42012", "dstport": "443", "action": "allow", "type": "checkpoint_fw", "dst_port": "443", "log_sequence_num": "0", "LastUpdateTime": "1512314958", "host": "**************", "action": "allow", "dstip": "**************", "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={10F51296-63EA-884A-BF05-579D4499EA21}", "app_id": "60519733", "protocol": "tcp", "app_rule_name": " ", "timestamp_mrt": "2017-12-03T15:30:36.208Z", "is_first_for_luuid": "0", "reporting_host": "****************", "Suppressed logs": "19", "browse_time": "0:00:00", "host": "***************", "dst_ip": "**************", "port": 51354, "i/f_name": "eth1-01", "proto": "tcp", "app_risk": "1", "src_ip": "*****************", "app_rule_id": "{B9494762-1D04-444B-A1F5-373B2DEC6CEE}", "app_category": "Network Protocols", "log_version": "1", "reportingHost": "*****************", "appi_name": "HTTP/2 over TLS", "rule": " ", "app_sig_id": "60519733:10", "cp_fwProductName": "Application Control", "typeNo": "13", "sent_bytes": "24332", "cp_date": "03Dec2017 14:50:17", "app_properties": "Very Low Risk, Network Protocols, Communication Standard", "log_type": "log", "has_accounting": "0", "cp_hostip": "**************", "@version": "1", "logId": "-1", "matched_category": "Network Protocols", "proxy_src_ip": "172.26.2.10", "product": "Application Control", "i/f_dir": "outbound", "origin_sic_name": "CN=fw1,O=fw..vtvb5n", "@timestamp": "2017-12-03T15:30:36.208Z", "bytes": "53274", "srcport": "42012", "app_desc": "HTTP/2 provides an optimized transport for HTTP semantics. HTTP/2 supports all of the core features of HTTP/1.1, but aims to be more efficient in several ways. HTTP/2 over TLS allows HTTP/2 connections over a secured TLS connection. Supported from: R75.40." } thank you!! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM