Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp recognition

kcchu01
Explorer
‎11-02-2020 07:55 PM

I am trying to monitor the log file and index to Splunk with the following log format.

02/11/2020,16:09:02,test-xxxxx,DISCONNECT ....

The date format is in DD/MM/YYYY, I added the following stanza in the $SPLUNK/etc/system/local/props.conf of the indexer 

[testsourcetype]

TIME_FORMAT = %d/%m/%Y,%H:%M:%S

However the log still not able to be indexed to Splunk, are there anything I missed?

 

Thank you

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 03:40 AM

Hi @kcchu01,

Let me understand:

  • you updated your props.conf on Indexer,
  • then you restarted Splunk on Indexers,
  • your source file is changed in the meanwhile;

is this correct?

Check the last point because the props.conf is correct and located in the correct point.

But Splunk doesn't index twice a log.

For test, you could add to inputs.conf, in the stanza of the test input also 

crcSalt = <SOURCE>

in this way, changing the file name, you can index it more times.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2020 11:56 PM

Hi @kcchu01,

only one question: is there any Heavy Forwatders between the source and the Indexer?

If yes, you have to put this props.conf (also) on Heavy Forwarder.

then add to your props.conf 

TIME_PREFIX = ^

to be sure that Splunk takes the correct timestamp.

Another final question: what's the error you have?

Only one final hint. if a test installation it could be also ok, but usually it's a best practice not to put props.conf in $SPLUNK_HOME/etc/system/local, but it in an App or in Technical Add-On (TA).

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-03-2020 12:30 AM

Hi Giuseppe,

No heavy forwarder, just direct connect from UF to Indexer.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-03-2020 12:38 AM

Hi @kcchu01,

what's the error you have?

ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-03-2020 05:12 PM

No new log found after modified the props.conf

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 03:40 AM

Hi @kcchu01,

Let me understand:

  • you updated your props.conf on Indexer,
  • then you restarted Splunk on Indexers,
  • your source file is changed in the meanwhile;

is this correct?

Check the last point because the props.conf is correct and located in the correct point.

But Splunk doesn't index twice a log.

For test, you could add to inputs.conf, in the stanza of the test input also 

crcSalt = <SOURCE>

in this way, changing the file name, you can index it more times.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-09-2020 05:38 PM

Hi, the log can be indexed again after following your method.

 

Thanks a lot

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2020 11:11 PM

Hi @kcchu01,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...