Hi everyone,
Can someone tell me what I'm suppose to edit in my datetime.xml file for my custom date and time to be recognized in Splunk? Here is example of a log:
I have tried:
datetime.xml
<datetime>
<define name="Date" extract="year, month, day">
<text>\<DATE>(\d{4})(\d{2})(\d{2})</text>
</define>
<define name="Time" extract="hour, minute, second">
<text>\<TIME>(\d{2})(\d{2})(\d{2})</text>
</define>
<timePatterns>
<use name="Time"/>
</timePatterns>
<datePatterns>
<use name="Date"/>
</datePatterns>
</datetime>
props.conf
DATETIME_CONFIG = /etc/system/local/datetime.xml
I think I'm missing something here....
Thanks, cheers
... View more