Hi All,
Kindly help to exaction the time stamp from the below log.
Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs
We need to extract the bold time for particular host. How do you write the regular expression?
[host::1.1.1.1]
TIME_PREFIX = ?
MAX_TIMESTAMP_LOOKAHEAD = ?
Thanks advance
any help?
[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = ([\r\n]+)\w+\s\d+\s\d+:\d+:\d+
SHOULD_LINEMERGE = False
TRUNCATE = 10000
i have to define in props.conf right , anything in transforms.conf?
Yes you define this in props.conf
, make sure to replace my_sourcetype
with your sourcetype name.. After you set this you have to restart splunkd
Did this solve your question? If so, can you accept it?
@skoelpin No 😞
If your just looking to extract the bold portion then the extraction will look like this
(?<NAME>\w+\s\d+\s+\d+:\d+:\d+)
[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000
Should i try this ?
Is cisco:asa
your sourcetype? If so then yes
Are you just trying to extract the bold part out or do you want it to timestamp correctly based off the second timestamp?
Can you elaborate more on what the issue is? The props.conf
entry I provided you will work, I tested it!
Hello
You just can use:
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
Regards
Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50
Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.
Help?
This is because you didn't specify the MAX_TIMESTAMP_LOOKAHEAD
attribute. This defaults to 150 characters relative to your TIME_PREFIX
attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in props.conf