simple timestamp extraction from log file

a_splunk_user · ‎07-23-2012

All of my data from an snmp log file has timestamps which are the modified date of the log file:
7/5/12 2:50:50.000 PM

However, I need the associated timestamp for every event within that log file.
2012-07-23 16:18:32 abc.xyz.net [UDP: [111.222.333.444]:26263->[0.0.0.0]:0]:

This timestamp format seems to be fairly common, so I don't believe I will need to modify the $SPLUNK_HOME/etc/datetime.xml file.

I must be missing something obvious, but I'm a bit confused as to where else to look. I believe I have read all the docs and most of the questions out there regarding similar issues.

Here is my props.conf:
[source::C:\usr\log\snmptrapd.log] TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 25 SHOULD_LINEMERGE = true

Thanks in advance for any advice!

a_splunk_user · ‎08-09-2012

The solution ended up being a modified props.conf file like so:

[snmp]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = TRUE
TIME_PREFIX = ^

Once that is done I can search on sourcetype=snmp, and the timestamps are correctly registered with Splunk.

Hope this helps others!

lguinn2 · ‎07-26-2012

Maybe this is the problem. I found this in the documentation for props.conf:

**Considerations for Windows file paths:**

When you specify Windows-based file paths as part of a [source::<source>] stanza, you must
escape any backslashes contained within the specified file path.

Example: [source::c:\\path_to\\file.txt]

So try this instead:

[source::C:\\usr\\log\\snmptrapd.log]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = true

Also, just in case this isn't the problem - what sourcetype is assigned to this data?

lguinn2 · ‎07-27-2012

I checked to see if "snmp" is a built-in sourcetype, and it is not. So I would love to see the props.conf that references the snmp sourcetype, and any transforms.conf stanzas as well.

Otherwise, I am out of ideas.... 😞

a_splunk_user · ‎07-26-2012

Hi lguinn,

Thanks for getting back to me. Oddly the escaped paths were in fact there, not sure why the unescaped ones were posted - my bad.

The sourcetype is set to 'snmp', and has a number of hosts writing to it - all data in the 'snmp' sourcetype has this issue.

Thanks!

lguinn2 · ‎07-23-2012

Where is your props.conf - on the indexer(s) or on the forwarder? What kind of forwarder?

Timestamp extraction is part of the data parsing phase. It cannot be done on a Universal Forwarder. So, your props.conf needs to go wherever the parsing occurs - on the indexer(s). Or, if you are using a heavy forwarder, on the heavy forwarder.

a_splunk_user · ‎07-26-2012

This is still an issue - any help is appreciated please.

a_splunk_user · ‎07-24-2012

Hi,

Sorry for not being clear on that. The props.conf is on the indexer, reading snmp data from a local log file.

Thx

simple timestamp extraction from log file

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...