- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is the timestamp in Splunk different from the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm using Splunk 6.2.3 and have some problems and questions.
First of all, I'd like to describe the problem I actually have:
I filled Splunk with a larger catalina logfile and saw that Splunk reads a different timestamp than the log actually has.
Here is the line where Splunk may begins to read:
1.3.6.1.4.1.20742.3.5.1.2.1.x.x = XX
[15:35:10,560 - Thread-77 (HornetQ-client-factory-threads-887115841-1086694719)] [CONN] DEBUG - TrapProcessor:110 - [...]
When I use the list view, Splunk shows me the time: 03.03.15, 15:34:22,745
However, the date is correct, only the time isn't.
Further questions are:
- Where may I change it, that Splunk asks me to show all "257" lines. Which configs and stanzas do I have to change to get a different value here?
- When I'm searching for any search term, Splunk doesn't show me the result in the first line of the result. Sometimes it's in the third line, sometimes in the first. How does splunk decide which line is the first?
- When I'm using Splunk forwarders, do I always have to configure the input in the inputs.conf on the server side?
So, these are a few questions, but I hope you can help me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.
You need to create a props.conf entry that tells it where the timestamp is and, more importantly, what it looks like; this is your problem with the date/time:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
Also, you have not told it what constitutes a single event inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.
You need to create a props.conf entry that tells it where the timestamp is and, more importantly, what it looks like; this is your problem with the date/time:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
Also, you have not told it what constitutes a single event inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer!
I'll try it out and check, wheater I solved it.
But another problem I'm having is, that the the direct file upload doesn't work for me.
Splunk seems to upload the file until 100% but then it freezes and no progress is visible.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
