I have a time-stamp in format Wed Jan 25 16:36:02 EST. I can't get Splunk to match it.
I tried modifying the props.conf:
[host::rok*]
TIME_PREFIX = dst
TIME_FORMAT = %a %b %d %H:%M:%S %Z
But it doesn't recognize the pattern. Am I missing something?
Full-event line:
dst Thu Jan 26 07:45:12 EST 10.10.1.2:vmwsspapp02_prd_data01 rok:vmwsspapp02_prd_data01 Start
Thanks!
... View more