Getting Data In

How to ignore the timestamp or any time value provided in the logs and use current time of the servers forwarding data instead?

isha_rastogi
Path Finder

I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much time it took to complete kind of time difference). Splunk is taking this time as timestamp which ultimately is causing wrong timestamp assignment.

Event is something like below:

[check:INFO][abc.sh] abc.sh Total Time: 0:10:47

In Splunk it is shown as

14/12/2016 10:47:00.000 [check:INFO][abc.sh] abc.sh Total Time: 0:10:47

However, this 10:47 is not the timestamp. For a few events, it is working fine, but not for each event.

I've tried putting the props.conf below on the Search head. I also want to break each line as an event, but it is also not working 😞

[mysourcetype]
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 0

My forwarders are in EST and Splunk server time is GMT.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The above configuration should be kept in Indexers OR heavy forwarders. Also, it'll fix this for new data only, old historical data would still be wrong.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The above configuration should be kept in Indexers OR heavy forwarders. Also, it'll fix this for new data only, old historical data would still be wrong.

isha_rastogi
Path Finder

Thanks for suggestion. Deployed above configuration in indexers and it worked. 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...