Getting Data In

problems with time stamp extraction

dshakespeare_sp
Splunk Employee
Splunk Employee

I have been given a log file to ingest into Splunk as part of a Lab exercise, but Splunk it not extracting the time and date correctly.
The log has a strange format and Splunk is trying to the last octet of the IP Address as the year
The file looks like
site: 1 [16--07--01 07:01:00.001] 192.168.3.14 07 22 ErrorCode=43685 Aborted
site: 2 [16--07--01 07:02:14.010] 192.168.3.15 07 22 ErrorCode=43681 Abend
site: 1 [16--07--01 07:03:55.001] 192.168.3.15 07 21 ErrorCode=43685 Aborted

Is there an easy way to resolve this issue?

0 Karma

dshakespeare_sp
Splunk Employee
Splunk Employee

You are BOTH Correct. I set this as a "new starter" challenge.
The task was 2 fold.
1. How to deal with a non standard timestamp
2. To see the power of Splunk Answers (and not have to re-invent the wheel)

BTW eric I think TIME_PREFIX = ^[ should read TIME_PREFIX = [

🙂

0 Karma

woodcock
Esteemed Legend

You need to specify values for TIME_PREFIX and TIME_FORMAT for your file. To help you any more would be inappropriate because you are supposed to do the work yourself.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

For your sourcetype, you need to look at specifying the timestamp format, along with a few other options.. Another thing is that your year/m/d format isnt a supported type out of the box...

[mysourcetype]
DATETIME_CONFIG = NONE
TIME_PREFIX = ^\[
TIME_FORMAT = %m--%d--%y %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 26

http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configuretimestamprecognition

0 Karma

dshakespeare_sp
Splunk Employee
Splunk Employee

Congratulations! - you have used Splunk Answers to find the answer to the Lab.
I am willing to provide some clues to assist.

Try ingesting the log into Splunk using the Data Inputs GUI and use Data Preview.
You will see the date is in a non-standard format and the IP address has been designed to look like a year.
You will need to set the following
A Time Stamp Format to deal with the time stamp
A Time Stamp Prefix to locate the time stamp (hint you may need a regex for this - regex101.com is a good place to test this
A Time Stamp Look Ahead

The Splunk Admin Manual and the Splunk Cheat Sheet will also provide help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...