Hello, our logs have ISO 8601 date format with shorted year (YY instead of YYYY): "12-08-06 04:42:10". It is 6 of August 2012 but Splunk think it is 12 of August 2006.
I've added to props.conf:
TIME_FORMAT = %y-%m-%d %H:%M:%S
but this didn't change anything.
the full config:
[source::/var/log/access*]
#12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443"
EXTRACT-access = ^(?P<datestamp>[^ ]+) (?P<timestamp>[^ ]+) "(?P<auth_user>[^|])|(?P<profile>[^"])" (?P<src_ip>[^ ]+) "(?P<method>[A-Z]+) (?P<url>[^"]+)"
TIME_FORMAT = %y-%m-%d %H:%M:%S
thanks
Your logs are not using ISO 8601. It specifies four-digit years. There is no provision in it for a two-digit year.
I downvoted this post because op stated the exception, and the comment does nothing to answer the question.
hello, can we push this from Deployment Monitor ???
MAX_TIMESTAMP_LOOKAHEAD=20
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %H:%M:%S
TIME_PREFIX=^
sorry for misleading, the html tags come from Markdown and doesn't belong to the config.
this ist the log line:
12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443"
this is the props.conf (I've removed the EXTRACT expression for clarity):
[source::/var/log/access*]
TIME_FORMAT = %y-%m-%d %H:%M:%S