I have a proxy server that is double date stamping events. This is not normally an issue, but I ran into a hydridization of these dates when the 2 date stamps differ:
Jul 27 23:59:59 name01 name01.coname.dom: <Mon, 28 Jul 2014 00:00:00,EDT> xxxpayloadxxx
Splunk date-stamped this event as 7/28/2014 23:59:59. We are utilizing Splunk's default time stamp parsing for this source.
I want Splunk to stop looking for a date after 16 characters. My understanding for the max_timestamp_lookahead in props.conf tells Splunk where to start, not stop.
Any guidance is appreciated. Thanks
You can specify this:
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16
The prefix tells it where to start, and the lookahead where to stop. Additionally, you could specify an appropriate TIME_FORMAT
.
You can specify this:
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16
The prefix tells it where to start, and the lookahead where to stop. Additionally, you could specify an appropriate TIME_FORMAT
.
Awesome - thanks!