Getting Data In

Splunk props.conf

yanivdutt
Explorer

Hi,
My logs are not breaking correctly. Below is sample logs

16:40:13,732 INFO web Redeemed promotion=BI_500_POINTS for usa_id=2300000032458812 channel=OMS amount=500.0 offerId=2536374313674604550 termId=null dateSk=7484 locationSk=550 isCancel=true tier=ROUGE
16:40:13,747 INFO web Redeemed promotion=ROUGE_WELCOME_KIT for usa_id=2253998837903414 channel=atg amount=-0.0 offerId=3000000000000000001 termId=null dateSk=7484 locationSk=550 isCancel=false tier=ROUGE
16:40:13,748 INFO web Redeemed promotion=BI_100_POINTS for usa_id=2253998837903414 channel=atg amount=-100.0 offerId=2536374313674604552 termId=null dateSk=7484 locationSk=550 isCancel=false tier=ROUGE
16:40:29,553 INFO web Redeemed promotion=BD_GIFT for usa_id=2300000038257945 channel=atg amount=-0.0 offerId=2536374313674604551 termId=null dateSk=7484 locationSk=550 isCancel=false tier=BI
16:40:54,421 INFO web Redeemed promotion=BD_GIFT for usa_id=2300000045716715 channel=atg amount=-0.0 offerId=2536374313674604551 termId=null dateSk=7484 locationSk=2492 isCancel=false tier=ROUGE
16:40:58,121 INFO web Redeemed promotion=VIB_WK for usa_id=2300000026110754 channel=pos amount=-0.0 offerId=2536374313674604555 termId=null dateSk=7484 locationSk=341 isCancel=false tier=BI

I tried
[web]
TIME_FORMAT=%T,%L
SHOULD_LINEMERGE=false

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi yanivdutt,
what are %T and %L?
try with

TIME_FORMAT=%H:%M:%S,%3N

I suggest to extract a sample from your logs and use the web guided log ingestion, so you can immediately test your props.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...