<div id="readability-page-1" class="page"><div id="post-body-2432600962419080596" itemprop="articleBody">
<p>audit.log 연동. 소스타입 선택과 관계 없이 unix time을 잘 인식한다.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPQpooPzVm54WlsU0obu0XRvsp490sL_KiLTwF9S_zahKHcwjDvTg0xLU8CuQ7aEw0OHUaZ3bEZVfx-eHkppYnWaZx6DB-c9xTJZp816fW0eGqRKBd3r7Ud2O6cJCNQAtbYqSGXpGBNZUNzmgiMvzMNqgmnuCnbUUJ9e7qvKbGfGpzAr8tLJHz5kVssM8/s1280/splunk_unixtime.png"><img data-original-height="694" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPQpooPzVm54WlsU0obu0XRvsp490sL_KiLTwF9S_zahKHcwjDvTg0xLU8CuQ7aEw0OHUaZ3bEZVfx-eHkppYnWaZx6DB-c9xTJZp816fW0eGqRKBd3r7Ud2O6cJCNQAtbYqSGXpGBNZUNzmgiMvzMNqgmnuCnbUUJ9e7qvKbGfGpzAr8tLJHz5kVssM8/s16000/splunk_unixtime.png"></a></p><p><span><a name="more"></a></span>연동 결과. 나머지 필드 추출도 완벽.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUkylxPG7TOaBTCRUdY2ReY4WDw7w0jRWpHgKbTIcPL5QCTWVCCsaQp55dopB5Xy4xfe1ZblCGsuelxjnNwbyhKEMESVo6sqM7SaIUOH59H21_lHe2D2rj1pC2h1rsSjoNItefLHcR6e1lXPI-mVPmk6fNtF9MSI_KhpVQCNgWCrNHoEPKF9Ksu_ldYvhk/s1100/splunk_unixtime2.png"><img data-original-height="720" data-original-width="1100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUkylxPG7TOaBTCRUdY2ReY4WDw7w0jRWpHgKbTIcPL5QCTWVCCsaQp55dopB5Xy4xfe1ZblCGsuelxjnNwbyhKEMESVo6sqM7SaIUOH59H21_lHe2D2rj1pC2h1rsSjoNItefLHcR6e1lXPI-mVPmk6fNtF9MSI_KhpVQCNgWCrNHoEPKF9Ksu_ldYvhk/s16000/splunk_unixtime2.png"></a></p><p>props.conf에 <a href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Knowledge/Searchtimeoperationssequence" target="_blank">필드 추출 유형</a>이 정의되어 있지 않음에도 문제가 없는 이유는 원본 데이터가 key=value 구조이기 때문.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyIys5NCY9vNUWEYYOiXjN6EoPtsph-U2igfBf7dJL6ltP3e4CmaAlZ9opyF2SX1C8pcu8c9lptDi9KkdZVUXQzj1ISoSjuP1FmGyxYpeMsvmSxrSrtqx2NvrxTUkkWTnOI0oQ1IeS2Awbdb3BqR73lT2AHPhb6u4WN6ngxZmJiTi4-rkrP4FM71N3VMiC/s1111/props.conf.png"><img data-original-height="409" data-original-width="1111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyIys5NCY9vNUWEYYOiXjN6EoPtsph-U2igfBf7dJL6ltP3e4CmaAlZ9opyF2SX1C8pcu8c9lptDi9KkdZVUXQzj1ISoSjuP1FmGyxYpeMsvmSxrSrtqx2NvrxTUkkWTnOI0oQ1IeS2Awbdb3BqR73lT2AHPhb6u4WN6ngxZmJiTi4-rkrP4FM71N3VMiC/s16000/props.conf.png"></a></p><p>혹시 필드 추출에 문제가 있다면 props.conf의 <a href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Propsconf#Field_extraction_configuration" target="_blank">KV_MODE</a> 옵션을 살펴보자.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4O_1ciqEeLaoUUvKHHXTB1rIaopjy-jt4OUhdR6qv8r-Vb8SGWfKp2u0qSKlKjel9P4_2dKL5ptWDuBtRmwdFnWqNx2blF6U2bKjDkAPRWQATjAo7V3RJsmKctMNa50EnfYRjgLu7eHNAVCxSrE_88s5tmIYit2BS2rRFmPUyaJtAowbhWUljsFNm6t9_/s1240/splunk_unixtime3.png"><img data-original-height="720" data-original-width="1240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4O_1ciqEeLaoUUvKHHXTB1rIaopjy-jt4OUhdR6qv8r-Vb8SGWfKp2u0qSKlKjel9P4_2dKL5ptWDuBtRmwdFnWqNx2blF6U2bKjDkAPRWQATjAo7V3RJsmKctMNa50EnfYRjgLu7eHNAVCxSrE_88s5tmIYit2BS2rRFmPUyaJtAowbhWUljsFNm6t9_/s16000/splunk_unixtime3.png"></a></p><div><p>참고로 <a href="https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/DateandTimeFunctions#strftime.28.26lt.3Btime.26gt.3B.2C.26lt.3Bformat.26gt.3B.29" target="_blank">unix time 수동 변환</a>은&nbsp;이렇게.</p></div><div><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3nJSyEKw6E1ZXGlu_Xes1dy3Abok5wBTWHYbH9Rue_cLa_NvmkXZgDmpn1mlMtiv2T55ZsuryUaJrGG2cVnwtEdoWJG6M2zRZ8Iwy35gMpJKqW8zsm6Mi61l4S-B4n5z_yOWFGJ5I4Uf8JXkZG-YrraYV8MPtvmzK4X5UKwUDsn18O5JFIzVumosB_W2/s1393/splunk_unixtime4.png"><img data-original-height="753" data-original-width="1393" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3nJSyEKw6E1ZXGlu_Xes1dy3Abok5wBTWHYbH9Rue_cLa_NvmkXZgDmpn1mlMtiv2T55ZsuryUaJrGG2cVnwtEdoWJG6M2zRZ8Iwy35gMpJKqW8zsm6Mi61l4S-B4n5z_yOWFGJ5I4Uf8JXkZG-YrraYV8MPtvmzK4X5UKwUDsn18O5JFIzVumosB_W2/s16000/splunk_unixtime4.png"></a></p></div>

</div></div>

케세라세라

audit.log 연동. 소스타입 선택과 관계 없이 unix time을 잘 인식한다.
연동 결과. 나머지 필드 추출도 완벽.
props.conf에 필드 추출 유형이 정의되어 있지 않음에도 문제가 없는 이유는 원본 데이터가 key=value 구조이기 때문.
혹시 필드 추출에 문제가 있다면 props.conf의 KV_MODE 옵션을 살펴보자.
참고로 unix time 수동 변환은 이렇게.

Splunk의 unix time

댓글