topic Timestamp in props.conf in Getting Data In

Timestamp in props.conf

splunkingsplun1 — Thu, 30 Jan 2014 16:02:38 GMT

My event looks like this:

Jan 30 10:32:43 192.168.1.1 Netdefender: 30-01-2014 02:54:05 WARNING

We would like to use the second timestamp for our events. We have configured props.conf in /local like this:

[netdefender]
TIME_PREFIX = \w+\s\d+\s\d{2}:\d{2}:\d{2}\s\d+\.\d+\.\d+\.\d+\s\w+\:\s
MAX_TIMESTAMP_LOOKAHEAD = 44

We are still seeing index time as the timestamp. What are we missing?

kristian_kolb — Thu, 30 Jan 2014 16:12:39 GMT

The config below should work.

[netdefender]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S

Further things to check:

The sourcetype name is correct?

You are aware that this only affects new events coming in?

You have restarted Splunk?

splunkingsplun1 — Thu, 30 Jan 2014 19:46:54 GMT

Thank you that did what we needed!