Re: Timestamp recognition props.conf (event time u...

marellasunil · ‎05-01-2015

Hi,
Every month 1st, I am facing the below issue.
Splunk stopped indexing on 1st of every month
For ex : Feb 1st it stopped indexing & it retrieved on 2nd, and on March 1st stopped and indexing again on 3rd march.
Look like splunk recognizing logs as MM/DD though DD/MM in the log

I tried to add "%d/%m/%Y %H:%M:%S" in props.conf but still no luck

timestamp="09/04/2015 10:06:30", XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, transactionstart="09/04/2015 10:06:30", transactionend="09/04/2015 10:06:30",

Can some one suggest me what should I do?

stephane_cyrill · ‎05-01-2015

What is the source of your data? is it from a forwarder? if yes, it may be a game of time zones.

see

docs.splunk.com/Documentation/Splunk/6.2.2/data/Applytimezoneoffsetstotimestamps

marellasunil · ‎05-01-2015

Hi Stephane,
Thanks for the reply.
Yes it is forwarder, even I have add the below stanza to props.conf file (In deployment server) which did not work, even changed in all indexers $SPLUNK_HOME$/system/local/props.conf as well

[sourcetype_proj]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %d/%m/%Y %H:%M:%S
TIME_PREFIX = timestamp="
TZ = Europe/London
category = Custom
pulldown_type = true

Timestamp recognition props.conf (event time using MM/DD/YYYY instead of DD/MM/YYYY

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases