Hi
Do you have any idea to decode Epoch time and Tai64 encoded time?
I have several device their time is as below..
completely have no idea on Tai64. for Epoch, I tried to put following in props.conf
[sourcetype]
TIME_FORMAT = %s
but do not work .
Time is Tai64
@400000004de5bcd921686bec tcpserver: status: 0/40
@400000004de5bcd921686034 tcpserver: end 10611 status 256
@400000004de5bcd91d08caec tcpserver: ok 10611 0:192.168.2.33:110 :192.168.1.102::2029
@400000004de5bcd91d08c704 tcpserver: pid 10611 from 192.168.1.102
Time is Epoch
1303380720.401 399 192.168.3.32 TCP_MISS/000 3437 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/4/0/str%3d0001.0A3D0009.4DB002F2.0054%2css%3d4%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:18:: PROTOCOL-STAT:a@b.c:<SNT115-W4378F7332227898850E657AE920@phx.gbl>: PROXY-ERROR::
1303365337.779 410 192.168.3.32 TCP_MISS/000 3313 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DB.0037%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:1:3393:192.168.3.32:1:0:13:: PROTOCOL-STAT:a@b.c:<418ea2af3d2ec5aebde87ee2c78309ad@edm04.01webdesign.com.hk>: PROXY-ERROR::
1303365336.935 404 192.168.3.32 TCP_MISS/000 3308 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DA.0054%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:16:: PROTOCOL-STAT:a@b.c:<fa4fe4d1cb0c21701daea014a61fdde7@edm04.01webdesign.com.hk>: PROXY-ERROR::
You cannot tell Splunk the TIME_FORMAT
for Tai64
but if you tell Splunk TIME_PREFIX
and MAX_TIMESTAMP_LOOKAHEAD
, it will get it automatically correct (except for sub-seconds) and it should work for both epoch
and Tai64
:
[sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 26