I have a log file that has entries like:
2011 May 03 14:20:25:923 GMT +2 BW.AFSAdapter-AFSAdapter blablabla
So my timestamps are at the very beginning. Splunk recognizes this, but parses them slightly wrong. For example, the timestamp above is parsed to an event timestamp '5/3/11 4:20:25.923 PM'
Two strange things:
It sometimes drops the '1' from the hour
Sometimes 2 hours are added (we are in timezone gmt+2)
Examples:
2011 May 03 12:09:53:310 GMT +2 parsed to >>> 5/3/11 12:09:53.310 PM
2011 May 03 10:25:16:300 GMT +2 parsed to >>> 5/3/11 12:25:16.300 PM
I have set up my props.conf as follows:
[host::*kpnnl.local]
TZ=Europe/Amsterdam
[sourcetype::tibco_bwengine]
TIME_FORMAT=%Y %b %d %H:%M:%S:%3N %Z
Any hints?
... View more