I have configured custom datetime_custom.xml.
while It is working on Heavy Forwarder (HF) with props.conf on HF.
but when I deployed to indexers, Indexers are not reading the settings.
DATETIME_CONFIG=/etc/apps/testing/local/datetime.xml
- ON HF WORKED FINE
DATETIME_CONFIG=/etc/slave-apps/testing/local/datetime.xml
- ON INDEXERS NOT WORKING.
Do I need to change path on indexers?
I put in the the datetime.xml in "master-apps" where it was pushed to "slave-apps" and it is working.
the props file is
splunk@#######~$ cat /opt/splunk/etc/master-apps/Index_Cluster_Config/local/props.conf
[default]
DATETIME_CONFIG = etc/slave-apps/Forwarder_Gen_and_Sec_Settings/bin/datetime.xml
With the datetime.xml being pushed to
/opt/splunk/etc/slave-apps/Index_Cluster_Config/bin/datetime.xml
If you are using a heavy forwarder with the indexers, the timestamps will be parsed on the heavy forwarders. If you are using Universal Forwarders with your indexers (or monitoring files that reside on the indexer itself), then the timestamps will be parsed on the indexers.
Was it really necessary to write the datetime config XML file?
Wouldn't it have been easier - and possibly more efficient - to simply use the TIME_FORMAT option in props.conf instead?
Finally, to answer your question: no, if the indexers are clustered, you must put the datetime.xml file into the master app packages that are distributed to the slave app directory of the indexer peers.
Hi Iguinn , I put my datetime.xml and deployed it to slave appa. But It is not working. FYI My events are sent to http event collector services/collector end point. Is that the reason for not being parsed. What should I modify. I just need to extract time. Splunk not even detecting the timestamp before 128 characters.
It is just putting timestamp as current time.
xml version="1.0"
datetime
define extract="hour, minute, second, subsecond" name="_time"
text timestamp\W+\d{4}-\d{2}-\d{2}\s(\d{1,2}):(\d{2}):(\d{2}).(\d{3} )text
define
define extract="year, month, day" name="_date"
text DATE\W+(\d{4})-(\d{2})-(\d{2}) text
define
timePatterns
datePatterns
datetime
removed tags in above xml