My event looks like this:
Jan 30 10:32:43 192.168.1.1 Netdefender: 30-01-2014 02:54:05 WARNING
We would like to use the second timestamp for our events. We have configured props.conf in /local like this:
[netdefender]
TIME_PREFIX = \w+\s\d+\s\d{2}:\d{2}:\d{2}\s\d+\.\d+\.\d+\.\d+\s\w+\:\s
MAX_TIMESTAMP_LOOKAHEAD = 44
We are still seeing index time as the timestamp. What are we missing?
The config below should work.
[netdefender]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S
Further things to check:
You have edited the correct props.conf file?
The sourcetype name is correct?
You are aware that this only affects new events coming in?
You have restarted Splunk?
/K
The config below should work.
[netdefender]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S
Further things to check:
You have edited the correct props.conf file?
The sourcetype name is correct?
You are aware that this only affects new events coming in?
You have restarted Splunk?
/K
Thank you that did what we needed!