Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need assistance in setting a sourcetype--date/time

NanSplk01
Path Finder
‎07-29-2024 11:59 AM

I am trying to create a sourcetype for a new client:

Note StartDate=xxxx is where the log begins.  However the StartTime=*** is not with it, but I need both int he logs.  How do I create this sourcetype? 

C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024

C:\Program Files\Universal\UAGSrv\xxx>set sdm=07

C:\Program Files\Universal\UAGSrv\xxx>set sdd=29

C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56

 

any assistance would be very helpful and appreciated.

Labels (2)
Labels
0 Karma
Reply

NanSplk01
Path Finder
‎07-29-2024 12:33 PM

It is one of several blocks of lines inside the log file.  Each starts with the little snippet I put above and then has any number of lines after it.  While the file is a .txt, the look to me would be a xml document that pushes out the log file.  I've not seen one like it before.  I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:30 AM

While every sourcetype should have props defined, this may be beyond what transforms can do.  Timestamp extraction happens before transforms are applied, which is why I suggested an input script do the work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2024 12:20 PM

Wow.  The developer that created that log needs to be taught how to use Splunk so he can see how awful his creation is.

Is that one event or several?  Or is that the prologue to the log file?

You may be able to use a custom datetime.xml file or you may want to consider an input script that normalizes the timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply

NanSplk01
Path Finder
‎07-30-2024 09:11 AM

Well, I did find another line which has the date and time, but it's over 15 lines into the log file.  We need to start with the first line which is the beginning of the stanza, but get the timestamp which is 15th line showing after the opening line shown below

C:\Program Files\Universal\UAGSrv\xxxl_p01.nam>set StartDate=Tue 07/23/2024 

This is the actual timestamp which I think would work since it has both date and time (hoping that's what the _80514 is the time??

 Files\Universal\UAGSrv\xxx_p01.nam>set timestamp=20240723_80514

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2024 05:11 PM

You probably could define TIME_PREFIX to find that timestamp.  However, is the timestamp present for every event or just once in the file?  If the latter, then start writing code to re-process that file into something Splunk can ingest more easily.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...