I have the following in props.conf
[source::udp:32001]
TZ = UTC
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False
[source::udp:32002]
TZ = UTC
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False
[source::udp:32006]
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False
From what I've read, it seems this should work to "simplify" my props.conf, but when I actually implement this it doesn't work:
[source::udp:32001|udp:32002|udp:32006]
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False
[source::udp:32001|udp:32002]
TZ = UTC
With source-specific entries, time settings are correctly interpreted. When I attempt to configure a single stanza with multiple sources using |, it fails (most notably, the log data from udp:32001/2 are shifted 5 hours in the future).
Is this not supported? Or am I just doing it wrong? 🙂
Also, if you want to see a complete view of your Splunk install, install the Splunk on Splunk (SoS) app with SideView Utils. You can see everything about your Splunk environment in one place.
http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk
Give this notation a try:
[source::(udp:32001)|(udp:32002)|(udp:32006)]
Also, to troubleshoot further and to see where and what parameters are set for each source use btool
:
splunk cmd btool props list [stanza_name]
or, for even more verbosity:
splunk cmd btool --debug props list [stanza_name]
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!
Nope - fraid not. Simple test:
[source::(udp:32001)|(udp:32002)|(udp:32006)]
FIELDALIAS-user2 = User_Name as user2
[source::udp:32001]
FIELDALIAS-user = User_Name as user
FIELDALIAS-user3 = User_Name as user3
"user" and "user3" get picked up, "user2" does not. btool picks up the settings and reports the stanza as written in props.conf, so...
Think I'm just going to report a bug and move on.