Hello,
I'm using Splunk 6.2.3 and have some problems and questions.
First of all, I'd like to describe the problem I actually have:
I filled Splunk with a larger catalina logfile and saw that Splunk reads a different timestamp than the log actually has.
Here is the line where Splunk may begins to read:
1.3.6.1.4.1.20742.3.5.1.2.1.x.x = XX
[15:35:10,560 - Thread-77 (HornetQ-client-factory-threads-887115841-1086694719)] [CONN] DEBUG - TrapProcessor:110 - [...]
When I use the list view, Splunk shows me the time: 03.03.15, 15:34:22,745
However, the date is correct, only the time isn't.
Further questions are:
So, these are a few questions, but I hope you can help me.
You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.
You need to create a props.conf
entry that tells it where the timestamp
is and, more importantly, what it looks like; this is your problem with the date/time:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
Also, you have not told it what constitutes a single event
inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.
You need to create a props.conf
entry that tells it where the timestamp
is and, more importantly, what it looks like; this is your problem with the date/time:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
Also, you have not told it what constitutes a single event
inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents
Thanks for your answer!
I'll try it out and check, wheater I solved it.
But another problem I'm having is, that the the direct file upload doesn't work for me.
Splunk seems to upload the file until 100% but then it freezes and no progress is visible.