Running Splunk 6.0 (build 182037)
Trying to parse the SystemOut.log-file from WebSphere. Example log entry
[12.12.13 13:42:36:130 CET] 00000cbd NodeSyncTask A ADMS0003I: The configuration synchronization completed successfully.
But, Splunk formats the timestamp like this - a year behind.
2012-12-13T13:42:36.130+01:00
I have tried without success to apply the following in props.conf
[websphere:system:out]
REPORT-thread = extract-sysout
LOOKUP-waseventtype = waseventtype waseventtyperaw OUTPUTNEW waseventtype
# [11/12/13 18:45:24:007 CET]
TIME_PREFIX = \[
TIME_FORMAT = %d/%m/%y %H:%M:%S
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
MAX_EVENTS = 1024
But it does not help (not having the time_prefix and time_format provides the same result.)
I am not really sure what did the trick, but I do somehow think it has something to do with Windows (all servers are Windows-servers in our environment). In the inputs.conf file I had defined the paths to the SystemOut.log files like this
[monitor://E:\logs\...\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
For some reason Splunk seemed to struggle with that definition, finding just some of the files. After changing it to
[monitor://E:\logs\*Member*\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
[monitor://E:\logs\nodeagent\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
[monitor://E:\logs\dmgr\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
it started to index it as I would expect. So I must admit that I am not really sure what I did wrong initially, but the above did the trick for me at least.
I am not really sure what did the trick, but I do somehow think it has something to do with Windows (all servers are Windows-servers in our environment). In the inputs.conf file I had defined the paths to the SystemOut.log files like this
[monitor://E:\logs\...\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
For some reason Splunk seemed to struggle with that definition, finding just some of the files. After changing it to
[monitor://E:\logs\*Member*\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
[monitor://E:\logs\nodeagent\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
[monitor://E:\logs\dmgr\SystemOut.log]
index = was_index
sourcetype = websphere:system:out
it started to index it as I would expect. So I must admit that I am not really sure what I did wrong initially, but the above did the trick for me at least.
Argh! Captcha hates me, so instead of updating I comment my own question: Did change the formatting of TIME_FORMAT as pointed out by lukejadamec but that did not solve my problem. Strange thing is that I do not find any errors in the Splunk logs. Need to recheck my indexes.
Try changing your timestamp format to match the data:
TIME_FORMAT = %d.%m.%y %H:%M:%S:%N %Z
You might as well include the timezone also:)
Have you tried the time_format without the time_prefix?
I should have seen that one, updated timeformat - but still no help. Suspect that I have some other issue which I am not able to see (yet) in the Splunk logs.