Splunk Enterprise

Missing date_* fields

jadengoho
Builder

Hi,

I have this log format on our environment : 

2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1", AUTHENTICATION_TYPE="(TYPE=(*));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=*)(HOST=1.1.1.1)(PORT=222))));", CURRENT_USER="my_own_user", DBID="0001111222", DBUSERNAME="my_own_user", INSTANCE_ID="1", OS_PROCESS="12000111", OS_USERNAME="ec2-user", SCN="900000000", SESSIONID="100000000", SYSTEM_PRIVILEGE_USED="CREATE SESSION", TERMINAL="unknown", UNIFIED_AUDIT_POLICIES="unknown", USERHOST="ec2-user", TS="2021-12-03 03:26:38"

But it is missing the date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone  fields 

this is the PROPS.CONF:
[audit_sample]
ANNOTATE_PUNCT = false
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 32
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TRUNCATE = 2000


i have read the https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields
and it says that the date_* fields are only available if the timestamp is properly extracted. 
Which in my case is fine  because it have the _time field and when i compare the _time to the actual logs they are similar, and my props configuration is properly working.

What might be the reason on why I'm missing those fields.

It is not window_event_logs

 

Labels (2)
Tags (2)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!