topic Re: SplunkForwarder File Monitor stopped working at 23:59 June 30th 2013 in Getting Data In

SplunkForwarder File Monitor stopped working at 23:59 June 30th 2013

ultima — Mon, 01 Jul 2013 12:13:49 GMT

As the title says.
Forwarder File Monitor stopped working at 23:59 June 30th 2013

inputs.conf:

[monitor://E:\Logs]
disabled = 0
sourcetype = mftlogs

[WinEventLog:Security]
disabled = 0

Debug:
07-01-2013 13:51:05.570 +0200 DEBUG TcpOutputProc - Registering Channel for : source::E:\Logs<removed>.log|host::MFTD|mftlogs|:9997, oneTimeClient=0, _events.size()=0, _refCount=1, _waitingAckQ.size()=0, _supportsACK=0
07-01-2013 13:51:05.570 +0200 DEBUG TcpOutputProc - Unregistering Channel for : source::E:\Logs<removed>.log.log|host::MFTD|mftlogs|:9997, oneTimeClient=0, _events.size()=1, _refCount=2, _waitingAckQ.size()=0, _supportsACK=0

Windows Eventlog still gets inserted into splunk, but not the logs.
Anyone ? 😞

Re: SplunkForwarder File Monitor stopped working at 23:59 June 30th 2013

Ayn — Mon, 01 Jul 2013 12:49:20 GMT

I suspect this is a timestamp parsing issue. Splunk tries to guess what format the timestamp for a log event is in (unless you tell it explicitly what the format is), and sometimes it guesses wrong. If you do a realtime search you'll see all logs coming in regardless of what timestamp they're assigned, so that might be a thing to do for troubleshooting purposes.

Re: SplunkForwarder File Monitor stopped working at 23:59 June 30th 2013

ultima — Mon, 01 Jul 2013 13:26:16 GMT

Thanks Ayn.

Date came in as

01/07/2013 15:05:29

Splunk thought is was 7th of januar.
Damn US date stamps.

Corrected this in the props.conf.
Added:

[mftlogs]
TIME_FORMAT = %d/%m/%Y %H:%M:%S