topic Re: Timestamp recognition in Getting Data In

Timestamp recognition

kcchu01 — Tue, 03 Nov 2020 03:55:20 GMT

I am trying to monitor the log file and index to Splunk with the following log format.

02/11/2020,16:09:02,test-xxxxx,DISCONNECT ....

The date format is in DD/MM/YYYY, I added the following stanza in the $SPLUNK/etc/system/local/props.conf of the indexer

[testsourcetype]

TIME_FORMAT = %d/%m/%Y,%H:%M:%S

However the log still not able to be indexed to Splunk, are there anything I missed?

Thank you

Re: Timestamp recognition

gcusello — Tue, 03 Nov 2020 07:56:57 GMT

Hi @kcchu01,

only one question: is there any Heavy Forwatders between the source and the Indexer?

If yes, you have to put this props.conf (also) on Heavy Forwarder.

then add to your props.conf

TIME_PREFIX = ^

to be sure that Splunk takes the correct timestamp.

Another final question: what's the error you have?

Only one final hint. if a test installation it could be also ok, but usually it's a best practice not to put props.conf in $SPLUNK_HOME/etc/system/local, but it in an App or in Technical Add-On (TA).

Ciao.

Giuseppe

Re: Timestamp recognition

kcchu01 — Tue, 03 Nov 2020 08:30:52 GMT

Hi Giuseppe,

No heavy forwarder, just direct connect from UF to Indexer.

Re: Timestamp recognition

gcusello — Tue, 03 Nov 2020 08:38:19 GMT

Hi @kcchu01,

what's the error you have?

ciao.

Giuseppe

Re: Timestamp recognition

kcchu01 — Wed, 04 Nov 2020 01:12:41 GMT

No new log found after modified the props.conf

Re: Timestamp recognition

gcusello — Wed, 04 Nov 2020 11:40:14 GMT

Hi @kcchu01,

Let me understand:

you updated your props.conf on Indexer,
then you restarted Splunk on Indexers,
your source file is changed in the meanwhile;

is this correct?

Check the last point because the props.conf is correct and located in the correct point.

But Splunk doesn't index twice a log.

For test, you could add to inputs.conf, in the stanza of the test input also

crcSalt = <SOURCE>

in this way, changing the file name, you can index it more times.

Ciao.

Giuseppe

Re: Timestamp recognition

kcchu01 — Tue, 10 Nov 2020 01:38:29 GMT

Hi, the log can be indexed again after following your method.

Thanks a lot

Re: Timestamp recognition

gcusello — Tue, 10 Nov 2020 07:11:33 GMT

Hi @kcchu01,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉