I'm trying to make a datatype for a specific kind of CSV data seen by Splunk. Here's an example of the individual data that Splunk sees, stored as CSV for importing:
# address,alternativeid,alternativeid_restriction,asn,asn_desc,assessment,cc,confidence,description,detecttime,guid,id,portlist,prefix,protocol,purpose,rdata,relatedid,relatedid_restriction,reporttime,restriction,rir,severity
1.2.3.4,some-url-here,public,1234,Description of 1234,scanner,CN,85,ssh,2014-04-23T04:27:21Z,everyone,1acb6224-dde9-4465-a34c-32283a130c00,22,1.2.3.0/18,6,mitigation,,,,2014-04-23T02:31:15Z,need-to-know,APNIC,medium
There are two timestamps, here. When using this regex, it finds the second timestamp: \d\d\d\d-\d\d-\d\d[A-Z]\d\d:\d\d:\d\dZ
What I need it to do is to read the first timestamp, which is the detection time for that specific data rather than the reported time for it. Can anyone help me figure out how to make Splunk detect the first timestamp, and only that first timestamp? Note that where it says "ssh" it will not always be "ssh" so you can't use that as part of the detection.
... View more