topic Re: subseconds forwarded via LightForwarder not recognized in Getting Data In

subseconds forwarded via LightForwarder not recognized

Jaci — Tue, 03 Aug 2010 22:43:53 GMT

I have a log event with a timestamp that includes milliseconds: 2010-07-30 11:16:43,357

If the log is loaded into Splunk on the indexer the subseconds get recognized.

If the log is forwarded via LightForwarder, subseconds are not recognized:

7/30/10 11:16:43,000 AM

How can I correct this?

Thanks in advance.

Re: subseconds forwarded via LightForwarder not recognized

Stephen_Sorkin — Wed, 18 Aug 2010 04:57:51 GMT

Is this the case for all data or just from this source? I've tested a 4.1.x instance with the logs in index=_internal and subseconds are correctly parsed and rendered. Are there custom timestamping rules on the forwarder?

Re: subseconds forwarded via LightForwarder not recognized

meno — Tue, 24 Aug 2010 13:06:01 GMT

We are sure there are no other rules on the LightForwarder. We also deleted all files under .../apps/learned and .../etc/users.

Subseconds still are not recognized from ALL sources.

Any more ideas how to debug / loglevel to make timestamp recognition visible ?

Thanks for helping, Meno

Re: subseconds forwarded via LightForwarder not recognized

jhedgpeth — Tue, 21 Dec 2010 22:49:23 GMT

Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N

Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior.