Re: How should I extract the time stamp when it ap...

ddrillic · ‎06-18-2019

We have data that comes in two different formats -

Jun 18 14:02:21 <host> DataCollector: [0x7f08f6ffd700] INFO  Metrics null - {"snapshot":[{"Syslog":{"totalBytesReceived":{"count":80535209337320,"timestamp":"20190618T140221.616466"},...

Or

Jun 18 14:02:19 <host> DataCollector: [0x7f4e0b2c1700] INFO  RevisionManager null....

I did the following which works fine for the first case, but not the second, obviously ; -)

[syslog<case>]
TRANSFORMS-host_override = host_override
LINE_BREAKER=([\r\n]+)\S+\s\d+\s\d{2}:\d{2}:\d{2}
TIME_PREFIX=\"timestamp\":\"
TIME_FORMAT=%Y%m%dT%H%M%S.%6N
MAX_TIMESTAMP_LOOKAHEAD=50
TZ = UTC
TRUNCATE=10000
SHOULD_LINEMERGE=false
disabled=false

How can I handle the second case of the log? Here there isn't any other choice besides the time stamp at the beginning of the line.

DavidHourani · ‎06-18-2019

Hi @ddrillic,

Ouch...how did you get into that hole ?

How about routing each into a different sourcetype and applying the right time format there ?

If you try to apply a match on this format : Jun 18 14:02:19 even if it's conditional it will match for both so no way out that.

Cheers,
David

ddrillic · ‎06-18-2019

I know - it's a cute one ; -)

How should I extract the time stamp when it appears in two different formats and locations?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?