Total newbie here.
I have a data file (a few lines here):
1280718483,204.28.227.23:53;5;5.49;13;2183;2183;0;0;0-2103;2-0;3-48;5-32;15-0;*-0;2183;0;0;0;0
1280718543,204.28.227.23:53;5;5.75;6;16;16;0;0;0-16;2-0;3-0;5-0;15-0;*-0;16;0;0;0;0
1280804716,204.28.227.23:53;4;6.74;77;2412;2412;0;0;0-2332;2-0;3-48;5-32;15-0;*-0;2410;2;0;0;0
1280804776,204.28.227.23:53;5;5.57;14;2391;2391;0;0;0-2343;2-0;3-0;5-48;15-0;*-0;2391;0;0;0;0
The actual file has 500+ lines (events?) going back several months.
The first number in each line (e.g.128071848) is the date in seconds since the epoch.
How can I get splunk (using 4.1.5) to recognize this as the date?
The file is called "tns-stats-0.log.0" located in /home/lis/log/lis and I have the following in etc/system/local/props.conf.
[source::.../lis/tns-stats-0.log.0]
TIME_FORMAT=%s
which is supposed to, from what I can gather, treat the format as seconds since epoch.
Yet, splunk insists on assigning all of the events the time associated with the file itself.
Someone please tell me what I'm missing here. Based on what I've read in other answers and the splunk docs, this should work.
... View more