cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sonomauser
Explorer
Member since: ‎04-08-2019
‎09-03-2023
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-08-2019
Activity Feed
View All

Re: Log files with different timezones (UTC)

by in Getting Data In
‎11-08-2021 07:33 AM
‎11-08-2021 07:33 AM
Thank you again.  I definitely read both of those articles before posting and took their suggestions, it just wasn't showing the PST time in Search and I was having a hard time conceptualizing how it should work or what I was doing wrong.  It's working now, so thank you.  ... View more

Re: Log files with different timezones (UTC)

by in Getting Data In
‎11-04-2021 08:44 AM
‎11-04-2021 08:44 AM
Ok. Thank you. I wasn't intentionally trying to alter the actual timestamp in the logs, I just wasn't quite sure how Splunk handled this type of thing.  I was able to get it to work by putting TZ in the source type stanza on the Indexer, not the HF. I thought this had to be done on the HF, but I suppose that was my misunderstanding.   ... View more

Log files with different timezones (UTC)

by in Getting Data In
‎11-03-2021 09:28 AM
‎11-03-2021 09:28 AM
I apologize since similar questions have been asked numerous times in the past. I have read several of them on this site as well as Splunk's own timezone article. I've tried a lot of things based on these articles, but the _time value doesn't appear to change at all.  I'm either doing something wrong or my expectations are off.  Background: We are PST. The Operating Systems for all our Splunk servers are configured for PST and are running Splunk 8.1.3. We are using a heavy forwarder to index IIS logs that are in UTC.  When searching these logs in Splunk, I would like the canned times (Last 4 Hours, Last 60 Minutes, etc.) to reflect the PST-equivalent times they occurred. So if I'm searching for something that happened 30 minutes ago in real time, "Last 60 Minutes" will contain that log.  It is my understanding that I am supposed to create/edit the props.conf on the heavy forwarder (/opt/splunk/etc/apps/iis/local/props.conf) and specify the TZ these logs files are set to: [sourcetype_name] TZ = UTC Then restart Splunk on the heavy forwarder.  This is done and I've restarted the entire Splunk farm. I've even set this in the /opt/splunk/etc/system/local/props.conf on the HF. These logs are still being indexed 7 hours into the future.  Should this be working or am I thinking about this completely wrong?  If my thinking is off-base, is it possible to accomplish what I'm attempting? Any suggestions would be appreciated.  Thank you.  ... View more

Re: Search time field extractions with backslash n...

by in Splunk Search
‎10-25-2021 08:23 AM
‎10-25-2021 08:23 AM
Thank you for your assistance, PickleRick's suggested Regex was able to give me the results I was looking for. Poor regex usage on my part.  However, to answer your questions, this is a Search Time extraction.  Some sample data would be: 2021-10-20 00:00:11 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=a0d15c2a-4c65-bd1837e8755d; domain\username 192.168.111.222 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.5149;+Pro) 200 and 2021-10-20 00:00:05 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=domain%5username&DeviceId=bc6fbaac6f14f7811cea8d7&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=4a35be43-351a-662266fc3188; domain\username 111.222.333.444 Outlook-iOS-Android/1.0 - 200 What I meant by "contains data that isn't exactly correct" is that when using (?P<Test>domain\S+), the extraction would grab "username\domain" from the first example event, but would also grab "domain%5username&DeviceId=bc6fbaac6f14f7811cea8d7&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=4a35be43-351a-662266fc3188" from the second example. Almost right, but way too much. Clearly a lack of regex understanding on my part.  Thank you.  ... View more

Re: Search time field extractions with backslash n...

by in Splunk Search
‎10-25-2021 07:48 AM
‎10-25-2021 07:48 AM
Thank you. I was using rex.  Your suggested regex totally worked and now it's in the Interesting fields. Thank you very much. I wish I knew enough about regex to know what makes a decent extraction vs a less than decent.  (?<userdomain>\S+)\\(?<username>\S+)  I will mark this as the solution.  ... View more

Search time field extractions with backslash not s...

by in Splunk Search
‎10-22-2021 03:34 PM
‎10-22-2021 03:34 PM
Hello Splunk Wizards, I know there are plenty of people who've had similar issues, but I haven't been able to use their resolution for my issue.  I'm doing a search time field extraction to capture login username, which includes a backslash. I have the regex correct (?P<User_Name>(domain\\\\\\S+)) slightly modified from regex 101 for Splunk. In the field extraction wizard, it perfectly grabs all sample data (ex: domain\username).   (?P<User_Name>(domain\\\\\\S+))   However, this field doesn't show up in search when looking at the exact same sample data. I've performed a verbose search and made sure all available fields are showing, it's not there. I've tried using groups names I know Splunk isn't already using, no improvement.  Pretty sure it was to do with the backslash, because if I modify the regex to (?P<User_Name>domain\S+), the field extraction shows up in search, but it also contains data that isn't exactly correct.    (?P<User_Name>domain\S+)   I've tried variations with more and less backslashes, none seem to work.  I guess I can live with a sloppy field extraction if that's all I can do, but the first regex really is perfect.  Any ideas? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-03-2023 01:20 PM