- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- problem extracting timestamps
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
problem extracting timestamps
I'm unable to get correct timestamps for my snmptrap log-file.
This is an example of an snmptrap :
2012-06-18 11:55:12 servername [UDP: [10.10.10.10]:32768->[0.0.0.0]:0]:
Splunk does not take 2012-06-18 11:55:12 as timestamp, instead it takes the last-modified date of the log-file which remains the same as it is an always-edited file.
I've tried with following settings in props.conf :
[snmptrap]
SHOULD_LINEMERGE=False
TIME_PREFIX=
TIME_FORMAT=%Y-%m-%d %H:%M:%S
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{d}
But still not getting the correct timestamp.
What am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I can index your timestamp of the file by default setting. How did you log the snmptrap to the file? Does the file contains the timestamp as you described?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's strange. Please clean event at all, then try to re-index the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used snmptrapd from net-snmp to create a log-file locally on the splunk server. Each event in the file starts with the timestamp like 2012-06-18 11:55:12. Until yesterday there was no problem using the default setting.
Once splunk started to use the file modification time instead of the timestamp events started to no longer be properly split.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've restarted the entire server instead of the splunk service only.
Thus the log file has been recreated and with it it's modification time.
Currently I have no way to tell whether Splunk is using the file modification time or the timestamp.
I already see that timestartpos and timeendpos have values.
The weird thing is that the timestamping went OK for more than two days and then suddenly stopped. Before I configured TIME*FORMAT the timestartpos and timeendpos were (0,20), when timestamping broke their value became null and now with TIME*FORMAT its (0,19).
I hope timestamping will stay correct this time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you change your props.conf, it will not affect until you reboot splunk and re-index the data. And you do not need "LINE_BREAKER" setting when "SHOULD_LINEMERGE=false".
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
