https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470654#M80900 <P>I would check if props.conf is located in correct place. It should be placed on the first Splunk Enterprise instance in your data flow. If it's placed on your heavy forwarder/intermediate heavy forwarder/indexer (whichever comes first), then give this configuration a try:</P> <PRE><CODE>[crashplan_service] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\[\d+\.\d+\d\.\d+) TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKAHEAD = 21 TIME_FORMAT = %m.%d.%y %H:%M:%S.%3N </CODE></PRE> Tue, 11 Feb 2020 19:38:45 GMT somesoni2 2020-02-11T19:38:45Z https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470653#M80899 <P>I've looked through a lot of the posts about date timestamp extraction and I think I'm decent enough at it but for the life of me I can't figure out what is going on with my logs for Crashplan. I found a post with a working example of <A href="https://answers.splunk.com/answers/481617/how-to-troubleshoot-why-time-format-is-not-being-a.html#answer-674391">crashplan service</A> log props and mine matched almost exactly but still no go.</P> <P>props.conf</P> <PRE><CODE>[crashplan_service] TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKAHEAD = 21 TIME_FORMAT = %m.%d.%y %H:%M:%S.%3N SHOULD_LINEMERGE = false NO_BINARY_CHECK = true </CODE></PRE> <P>inputs.conf</P> <PRE><CODE>[monitor:///opt/crashplan/log/service.log.0] source = crashplan sourcetype = crashplan_service index = crashplan disabled = false </CODE></PRE> <P>Here is one event where the day/month look to be swapped:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="1st screenshot of event and incorrect timestamp"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8388i4083D885612AEFA6/image-size/large?v=v2&amp;px=999" role="button" title="1st screenshot of event and incorrect timestamp" alt="1st screenshot of event and incorrect timestamp" /></span></P> <P>With this event I have no idea how it's getting the day/month:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="2nd screenshot, wrong date but correct timestamp"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8389i3B145A57129961E2/image-size/large?v=v2&amp;px=999" role="button" title="2nd screenshot, wrong date but correct timestamp" alt="2nd screenshot, wrong date but correct timestamp" /></span></P> Tue, 11 Feb 2020 19:13:08 GMT https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470653#M80899 bmorgenthaler 2020-02-11T19:13:08Z https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470654#M80900 <P>I would check if props.conf is located in correct place. It should be placed on the first Splunk Enterprise instance in your data flow. If it's placed on your heavy forwarder/intermediate heavy forwarder/indexer (whichever comes first), then give this configuration a try:</P> <PRE><CODE>[crashplan_service] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\[\d+\.\d+\d\.\d+) TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKAHEAD = 21 TIME_FORMAT = %m.%d.%y %H:%M:%S.%3N </CODE></PRE> Tue, 11 Feb 2020 19:38:45 GMT https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470654#M80900 somesoni2 2020-02-11T19:38:45Z https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470655#M80901 <P>@somesoni2 I tried that out and it someone worked but then I found a number of multiline events that didn't play nicely with that. I ended up using EVENT_BREAKER</P> Tue, 11 Feb 2020 23:46:24 GMT https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470655#M80901 bmorgenthaler 2020-02-11T23:46:24Z https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470656#M80902 <P>Well I've solved my ingestion issues for CrashPlan's service log, now for the other 6. Here is the props stanza I ended up using.</P> <PRE><CODE>[crashplan_service] TIME_PREFIX = ^\[ BREAK_ONLY_BEFORE = (\r\n)?\[\d{2}\.\d{2}\.\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{3} MAX_TIMESTAMP_LOOKAHEAD = 21 MAX_EVENTS = 1000 NO_BINARY_CHECK = true TIME_FORMAT = %m.%d.%y %H:%M:%S.%3N </CODE></PRE> <P>This allowed Splunk to ingest Crashplan configuration output (yay 600+ lines of xml), into a single event.</P> Tue, 11 Feb 2020 23:49:44 GMT https://community.splunk.com/t5/Getting-Data-In/Crashplan-Service-Log-Date-timestamp-incorrect/m-p/470656#M80902 bmorgenthaler 2020-02-11T23:49:44Z