Hi,
what would be the best practice for avoiding that a recent log line like the following one would be wrongly tagged as coming from two years ago?
Jun 23 23:15:47 cisco123.mylocal.net Compiled Fri 20-Oct-17 20:51 by prod_rel_team
current sourcetype: cisco:ios
_time: 2017-10-20T23:15:47.000
My plan would be setting a specific subtype and disabling the timestamp processor for that particular case.
transforms.conf:
[set_subtype_compiled_message]
REGEX = Compiled\s\w+\s\d+-\w+-\d+\s\d+:\d+\sby
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:cisco:ios_compiled
props.conf:
[cisco:ios]
TRANSFORMS-set_subtype_compiled_message
[cisco:ios_compiled]
DATETIME_CONFIG = NONE
Any better ideas, pros and cons?
Regards,
Bernd
In the props.conf use:
[cisco:ios]
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX =^
MAX_TIMESTAMP_LOOKAHEAD --> The number of characters into an event Splunk software should look
for a timestamp.
TIME_FORMAT -->Specifies a "strptime" format string to extract the date.
TIME_PREFIX -->If set, Splunk software scans the event text for a match for this regex. In this case the ^ asserts position at start of a line
Never ever let splunk guess at timestamp; always set the magic 6
:
https://www.sicherevielfalt.de/blog/the-ultimate-splunk-magic-8-for-a-dramatic-performance-boost/
https://splunkbase.splunk.com/app/4162/
In the props.conf use:
[cisco:ios]
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
TIME_PREFIX =^
MAX_TIMESTAMP_LOOKAHEAD --> The number of characters into an event Splunk software should look
for a timestamp.
TIME_FORMAT -->Specifies a "strptime" format string to extract the date.
TIME_PREFIX -->If set, Splunk software scans the event text for a match for this regex. In this case the ^ asserts position at start of a line
Reminds me of What are the best practices for defining source types? so cross linking.