SYSLOG often sends the timestamp in the older format (e.g. Jul 11 14:23:32). Unfortunately, that format does not have a year or timezone. I know that Splunk has logic to 'figure' it out, but I need to have it reformatted to the following:
YYYY-MM-DDTHH:mm:ss<GMT offset>
Is there a way to accomplish this with INGEST_EVAL or other method? If so how is it done? This should change the _raw event(that is, this is not a search time question). Kind of like a mask.
Hi @dokaas_2,
I know two solutions:
a pre-parsing script that reformat your logs before Splunk ingest them.
the SEDCMD command.
ciao.
Giuseppe