Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Extract DateTime in event to _time] datetime.xml some formats

SuperMisterT
Loves-to-Learn Everything
‎08-24-2021 06:40 AM

Hi,

I have TCP 514 logs in the same sourcetype.
There are different formats of timestamp in log and even in events.
I don't understand my mistakes with datetime.xml. It's working for one format but not for the second.

I text regexp with search ( | rex field=_raw ".........") fields are correctly extracted.

I follow thus tuto: https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Thanks for your help.

 

Example:
first log:
<111> YYYY-MM-DDTHH:MM:SS+02:00 localhost house 12154 - @ip [DD/LitMM/YYYY:HH:MM:SS.MS] ...........
_time is correctly extract,

second log:
<145> YYYY-MM-DDTHH:MM:SS+02:00 localhost foo - - YYYY-MM-DDTHH:MM:SS.MS+0000 jizjfoziejfz battle: cececeijoijoi [YYYY-MM-DDTHH:MM:SS.MS+0000] ...........
_time is not extracted, value is index time 😞

 

I'm on a standalone station, so i copy regexp without storage (maybe typo).


Configuration:
in datetime.xml on HeayFW (etc/apps/test/default)


<define name="_house" extract="day, litmonth,year,hour,minute,second,subsecond">
<text>house.*\[(\d{2})/(\w{3})/(\d{4}):(\d{2}):(\d{2}):(\d{2})\.\d+\]></text>
</define>
<define name="_battle" extract="year,month,day,hour,minute,second,subsecond">
<text>battle.*\[(\d{4})\-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})\.\d+\+\d{4}\]></text>
</define>

<timePatterns>
<use name="_house"/>
<use name="_battle"/>
</timePatterns>
<datePatterns>
<use name="_house"/>
<use name="_battle"/>
</datePatterns>
</datetime>

in props.conf
[my_sourcetype]
DATETIME_CONGIG= /etc/apps/test/defaults/datetime.xml
LINE_BREAKER = ([\r|\n])+
SHOULD_LINEMERGE = false

 

Labels (3)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-24-2021 07:29 AM

Can you please try below config in datetime.xml?

 

<datetime>
<define name="_house" extract="day, litmonth, year, hour, minute, second, subsecond">
<text><![CDATA[house.*\[(\d{2})/(\w{3})/(\d{4}):(\d{2}):(\d{2}):(\d{2})\.(\d+)\]]]></text>
</define>

<define name="_battle" extract="year, month, day, hour, minute, second, subsecond, zone">
<text><!CDATA[battle.*\[(\d{4})\-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})\.(\d+)(\+\d{4})\]]]></text>
</define>

<timePatterns>
<use name="_house"/>
<use name="_battle"/>
</timePatterns>
<datePatterns>
<use name="_house"/>
<use name="_battle"/>
</datePatterns>
</datetime>

 

 

0 Karma
Reply

SuperMisterT
Loves-to-Learn Everything
‎08-24-2021 07:42 AM

I found the error. This is in the configuration of MAX_TIMESTAMP_LOOKAHEAD.

My field is beyong 128 char. So in log, i see Failed to parse timestamp in first MTL (128).

My question : "how configure tow differents MAX_TIMESTAMP_LOOKAHEAD?"

 

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-24-2021 07:51 AM

You can't configure different MAX_TIMESTAMP_LOOKAHEAD. Have you tried datetime.xml which I have provided?

0 Karma
Reply

SuperMisterT
Loves-to-Learn Everything
‎08-24-2021 07:26 AM

Yes this is a typo when i copied my screen sorry.....

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-24-2021 07:15 AM

I have not gone through regex in details but I can see that in your datetime.xml, you don't have <datetime> and in props.conf you have defined defaults however you have directory called default

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...