I am trying to get my time stamp configured.
My log file has a recognizable date in the title and all my log messages are getting indexed to this date. In each raw log message there is a clearly defined time stamp.
Sample start of log message:
[ WARN] [11.09.21 14:12:05] [95]
I have a props.conf in my local directory (spluts/etc/system/local) and have changed the DATETIME_CONFIG to point to my custom datetime.xml
[default]
DATETIME_CONFIG = \etc\system\local\datetime.xml
My datetime.xml looks like this:
<datetime>
<define name="_mydatetimeformat" extract="year, month, day, hour, minute, second">
<text><![CDATA[^(?:\[.*\]\s\[)([0-9]+)\.([0-9]+)\.([0-9]+)\s([0-9]+):([0-9]+):([0-9]+)]]></text>
</define>
<timePatterns>
<use name="_mydatetimeformat"/>
</timePatterns>
<datePatterns>
<use name="_mydatetimeformat"/>
</datePatterns>
</datetime>
Perhaps I am not understanding how splunk associates the captures group with the different date fields. But adding this change doesn't seem to affect the dates that are displayed when searching. All log messages are still getting shown as the date time stamp found in the file name.
Any help is appreciated!
... View more