Hello
I'm having an issue with timestamping for my WinRegistry data.
I don't know whether by design, or for some other reason, the timestamp in the logs are as such:
11/02/11154 14:24:53.046
which of course is interpreted incorrectly. These Universal Forwarders forward to a cluster of Heavy Forwarders where an app SHOULD set the timestamp:
[WinRegistry]
DATETIME_CONFIG = CURRENT
but this does not seem to be the case as I have logs that go back to 1969 and forward to 2032.
Any ideas on where the issue may be?
Thanks for the thoughts
Your sourcetype
must match EXACTLY; does it? You must restart your Splunk instance on the server where you changed this setting.
I would not use this approach, though; I would use SEDCMD
to rewrite the timestamp with this:
s/^(\d+\/\d+)\/1115/\1\/2014/
You will have to fix this every New-Year's Eve (or until you can get the log writer/formatter fixed).
Yeah they match, in the app on the UF its:
[source::....winregistry]
sourcetype = WinRegistry
in the props on the HF the stanza is:
[WinRegistry]
DATETIME_CONFIG = CURRENT
Did you restart splunk instances?
Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.
I actually have a webex with support on this today. I believe that there's an issue with linebreaking and its inserting values where they should not be and its affecting the timestamp.
Thanks for looking at it!