Getting Data In

Extract epoch and tai64 time from imported event

keiichilam
Explorer

Hi

Do you have any idea to decode Epoch time and Tai64 encoded time?

I have several device their time is as below..

completely have no idea on Tai64. for Epoch, I tried to put following in props.conf

[sourcetype]
TIME_FORMAT = %s  

but do not work .

Time is Tai64

@400000004de5bcd921686bec tcpserver: status: 0/40
@400000004de5bcd921686034 tcpserver: end 10611 status 256
@400000004de5bcd91d08caec tcpserver: ok 10611 0:192.168.2.33:110 :192.168.1.102::2029
@400000004de5bcd91d08c704 tcpserver: pid 10611 from 192.168.1.102

Time is Epoch

1303380720.401    399 192.168.3.32 TCP_MISS/000 3437 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/4/0/str%3d0001.0A3D0009.4DB002F2.0054%2css%3d4%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:18:: PROTOCOL-STAT:a@b.c:<SNT115-W4378F7332227898850E657AE920@phx.gbl>: PROXY-ERROR::

1303365337.779    410 192.168.3.32 TCP_MISS/000 3313 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DB.0037%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:1:3393:192.168.3.32:1:0:13:: PROTOCOL-STAT:a@b.c:<418ea2af3d2ec5aebde87ee2c78309ad@edm04.01webdesign.com.hk>: PROXY-ERROR::

1303365336.935    404 192.168.3.32 TCP_MISS/000 3308 GET mail:a@b.c - DIRECT/192.168.2.33 multipart/alternative DETECT-STAT:SPAM:FSIGK/SPAM_CT/3/0/str%3d0001.0A3D0009.4DAFC6DA.0054%2css%3d3%2cfgs%3d0:::: ACTION:CHANGE_SUBJECT: PROXY-STAT:smtp:0:3392:192.168.3.32:1:0:16:: PROTOCOL-STAT:a@b.c:<fa4fe4d1cb0c21701daea014a61fdde7@edm04.01webdesign.com.hk>: PROXY-ERROR::
Tags (2)

woodcock
Esteemed Legend

You cannot tell Splunk the TIME_FORMAT for Tai64 but if you tell Splunk TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD, it will get it automatically correct (except for sub-seconds) and it should work for both epoch and Tai64:

[sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 26
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...