I am trying to set the time format from our Symantec events to the value of 'occurred_on' in my props.conf.
here is the event string:
",occurred_on="March 2, 2018 6:50:14 AM",
here is how time is displayed:
3/2/18
6:50:27.000 AM
Here is my props.conf:
[symantec]
TIME_PREFIX = occurred_on=\"([A-Za-z]+\s\d{1,2},\s\d{4}\s\d{1,2}:\d{1,2}:\d{1,2})
TIME_FORMAT = %B %d, %Y %H:%M:%S
I changed the time_prefix last night to what it was. I did have it earlier as [A-Za-z\s,0-9:]+
each of these expressions worked in regex101, I changed to what it is now because I only wanted to grab the time minus the am\pm.
I have deployed and also restarted splunk on my devices.
any thought on what I am doing wrong or even how to debug these.
Thanks!
The TIME_PREFIX
attribute should contain a regular expression describing what comes before the timestamp. In your case it should be TIME_PREFIX = occurred_on=\"
.
Your TIME_FORMAT
setting doesn't quite match your sample event. Try %B %d, %Y %H:%M:%S %p
. If you leave out the "%p", Splunk will interpret "6:50:27 AM" and "6:50:27 PM" as 06:50:27, which probably is not what you want.
The TIME_PREFIX
attribute should contain a regular expression describing what comes before the timestamp. In your case it should be TIME_PREFIX = occurred_on=\"
.
Your TIME_FORMAT
setting doesn't quite match your sample event. Try %B %d, %Y %H:%M:%S %p
. If you leave out the "%p", Splunk will interpret "6:50:27 AM" and "6:50:27 PM" as 06:50:27, which probably is not what you want.
this is not working.
I am still seeing the time off,
occurred_on="March 2, 2018 3:22:10 PM"
is showing as 3:22:16 000 PM
so there is a 6+ second difference.
the text occurred_on starts at position 1165 and ends around 1204. Does this create an issue?
As per the date and time format variable documentation , I think your TIME_FORMAT is close but not quite right!
Try:
TIME_FORMAT = %B %e, %Y %I:%M:%S %p
I'm not 100% sure that is correct but I think it's closer...your splunkd log files should inform you if the timestamp parsing is not working as expected
From the documentation:
%e "Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31) "
%I "Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. "
Thanks!
Dio you recommend the trouble shooting class? Will that help with this stuff?
Which troubleshooting class? I'd recommend reading the splunkd logs carefully, I even built an application to detect various errors in the logs called Alerts For Splunk Admins
Although in this case the alerts would just find the date parsing not working, the documentation for Splunk is also quite useful here...
can you explain what the %Y:%M:%S is?
I thought %M and %S where minutes and seconds?
What about the hour?
Thanks!
Sorry, I did leave out the hour. I've corrected my answer.