We're collecting logs which have the timestamp in the middle of the log message, which is also in GMT. I'm trying to define the pattern for the timestamp and tell Splunk to treat it as GMT.
I've defined the following in props.conf:
[splunk@ziva local]$ pwd
/opt/splunk/etc/deployment-apps/DS-its-o365-audit/local
[splunk@ziva local]$ cat props.conf
[o365-audit-smtp]
TIME_FORMAT = "%m/%d/%y %I:%M:%S %p"
TZ = GMT
And I also have the following transform to handle the CSV fields:
[splunk@ziva local]$ pwd
/opt/splunk/etc/deployment-apps/DS-transform/local
[splunk@ziva local]$ head -10 transforms.conf | tail -5
# o365-audit CSV
[o365-audit-smtp]
DELIMS = ","
FIELDS = "PSComputerName","RunspaceId","PSShowComputerName","Organization","MessageId","Received","SenderAddress","RecipientAddress","Subject","Status","ToIP","FromIP","Size","MessageTraceId","StartDate","EndDate","Index"
The Received field is the timestamp that should be used for the _time field of the message. Received is properly populated, but the _time field is often off by a few seconds to several minutes, as is the case here:
17/12/2015
12:14:28.000
"ps.outlook.com","2d2269bb-7461-4cb2-b528-8cc6fb965d4b","False","uwoca.onmicrosoft.com","<a2e367c288f033fa7e4ccff7269cab78.squirrel@www.stats.uwo.ca>","12/17/2015 12:22:07 PM","sender@stats.uwo.ca","recipient@uwoca.onmicrosoft.com","Re: AS 2053 -- A Quick Question","Resolved","","129.100.1.9","19497","f06db2f9-9d22-470d-b27b-08d306dcae20","12/17/2015 6:00:00 AM","12/17/2015 12:00:00 PM","81130"
Event Actions
Type
Field Value Actions
Selected
FromIP
129.100.1.9
RecipientAddress
recipient@uwoca.onmicrosoft.com
SenderAddress
sender@stats.uwo.ca
Subject
Re: AS 2053 -- A Quick Question
host
O365-Audit
Event
EndDate
12/17/2015 12:00:00 PM
Index
81130
MessageId
<a2e367c288f033fa7e4ccff7269cab78.squirrel@www.stats.uwo.ca>
MessageTraceId
f06db2f9-9d22-470d-b27b-08d306dcae20
Organization
uwoca.onmicrosoft.com
PSComputerName
ps.outlook.com
PSShowComputerName
False
Received
12/17/2015 12:22:07 PM
RunspaceId
2d2269bb-7461-4cb2-b528-8cc6fb965d4b
SenderUsername
sender
Size
19497
StartDate
12/17/2015 6:00:00 AM
Status
Resolved
index
its-o365-audit
linecount
1
splunk_server
ducky.its.uwo.pri
user
sender
user_combined
sender
Time
_time
2015-12-17T12:14:28.000-05:00
Default
punct
"..","----","","..","<.@...>","//_::_","@..","@.."
source
C:\Logs\SMTP\SMTP_Logs_6HRS_12-17-2015_12-00-00.csv
sourcetype
o365-audit-smtp
It's also not handling the time as GMT, if it's even handling that timestamp at all. What am I doing wrong?
... View more