Splunk Search

date_* fields not being extracted

Genti
Splunk Employee
Splunk Employee

i have events that look like this:

CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SescLU.exe"|High| eventId=5480802 externalId=0E68DF150A0064A4000A5EDF35775715 start=1290620312000 end=1290620312000 art=1290622138975 deviceSeverity=7 rt=1290622392494 dhost=IL06TR3534M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci456trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/SescLU.exe cs2=gsgdg cs1Label=Rule Name cs2Label=Site Name ahost=il02cdgdgsadgpp23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Medfgdfrfgck adfgndfd fCdfo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQioBAjhgfBCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=17653876548768 ad.GROUP__ID.c=262887CD380ABC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620312000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 

CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"|High| eventId=5480801 externalId=14B8F26D0A0064A4000A5EDF382EDBF5 start=1290620393000 end=1290620393000 art=1290622138975 deviceSeverity=7 rt=1290622392479 dhost=IL06TR345M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci64trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/Smc.exe cs2=hfghgf cs1Label=Rule Name cs2Label=Site Name ahost=il02csgfagppdg23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Merdgckgd agdgnd dgCo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQiojhgfdBABCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=1765876538768 ad.GROUP__ID.c=2628CD380A87BC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620393000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458

Why do the date_* field not get extracted? For a different source i get the extraction just fine (see below). Hence this has to do with the events themselves.

date_hour (n) (6)
date_mday (n) (1)
date_minute (n) (60)
date_month (1)
date_second (n) (60)
date_wday (1)
date_year (n) (1)
date_zone (1)

Also, how can i populate them, if i needed to use them?

Cheers.

Tags (1)
0 Karma
1 Solution

Genti
Splunk Employee
Splunk Employee

From what i understand, the fields date_* are actually fields that are extracted when splunk parses the timestamp from the events themselves. Since these events have no timestamp associated to them, these fields do not get populated.

If one wanted to use such fields they can extract and populate them using

 | eval date_mday=strftime(_time, "%d")

The above, for example would extract the actual day of the month and populate it inside the date_mday field...

View solution in original post

0 Karma

Genti
Splunk Employee
Splunk Employee

From what i understand, the fields date_* are actually fields that are extracted when splunk parses the timestamp from the events themselves. Since these events have no timestamp associated to them, these fields do not get populated.

If one wanted to use such fields they can extract and populate them using

 | eval date_mday=strftime(_time, "%d")

The above, for example would extract the actual day of the month and populate it inside the date_mday field...

0 Karma

Genti
Splunk Employee
Splunk Employee

i dont think the customer cared for those epoch timestamps, they were fine with the timestamp becoming the actual index time, but still wanted to extract the "Day" field..

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Seems to me there are various epoch timestamps in the event data that should have been picked up. Perhaps setting a higher MAX_TIMESTAMP_LOOKAHEAD or a TIME_PREFIX would help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...