Stumped here.
I have a logfile that looks like
18:21:05 (lmgrd) TIMESTAMP 8/16/2017
18:26:06 (ansyslmd) TIMESTAMP 8/16/2017
18:05:35 (ansyslmd) OUT: "hfss_solve" rv@rv.com
18:05:50 (ansyslmd) IN: "hfss_solve" rv@rv.com
18:20:32 (ansyslmd) OUT: "hfss_solve" rv@rv.com
18:20:32 (ansyslmd) IN: "hfss_solve" rv@rv.com
18:21:05 (lmgrd) TIMESTAMP 8/17/2017
18:26:06 (ansyslmd) TIMESTAMP 8/17/2017
19:28:24 (ansyslmd) OUT: "hfss_solve" rv@rv.com
19:28:37 (ansyslmd) IN: "hfss_solve" rv@rv.com
19:36:27 (ansyslmd) OUT: "hfss_solve" rv@rv.com
19:36:39 (ansyslmd) IN: "hfss_solve" rv@rv.com
The time part is correct on the left. And whenever a 'TIMESTAMP' line shows up id like to make that the correct 'date' portion of the timestamp used for the event in Splunk.
Can somebody tell me how to get this done. Im expecting ill need to setup a new sourcetype in Splunk for it. Can someone give me an outline of how to get this done here?
Thank you.
↧