Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse Log Messages

mspiegel
New Member
‎10-01-2010 10:04 PM

I'm sending a series of events to Splunk with their own time stamp and username info that I built independently of Splunk. Is there any way to run or build a custom report such that I can use the data that I passed in as parameters, instead of only being able to choose from the parameters defined by Splunk?

Tags (2)
0 Karma
Reply

southeringtonp
Motivator
‎10-01-2010 10:13 PM

What do you mean by "parameters defined by Splunk"?

Are you just trying to extract new fields?
     http://www.splunk.com/base/Documentation/latest/User/ExtractNewFields

     http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

southeringtonp
Motivator
‎10-05-2010 01:25 AM

Splunk is pretty good about picking up on timestamps out-of-the box. Usually if it doesn't see it, that means the timestamp is in a nonstandard format, or there's something else earlier in the message that looks like a timestamp. Also, there's a limit to how far into an event Splunk will look by default. If you can post a few lines of (sanitized) sample data, people here will be better able to help. The docs have some good information too - take a look at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

Reply

mspiegel
New Member
‎10-04-2010 10:12 PM

This helped a lot, thank you. However, I'm still unable to search over time from the self-created timestamp that I tried to pass into my splunk log message. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...