- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Microsoft Windows: Why is timest...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a clustered environment with Splunk Add-on for Microsoft Windows deployed to Indexers, Search Heads and Universal Forwarders.
I have an additional application deployed to Indexers and Search Heads to handle the Logbinder WinEventLog. The contents of $SPLUNK_HOME/etc/slave_apps/logbinder/local/props.conf is;
[WinEventLog:LOGbndSP]
TIME_PREFIX = Occurred:\s
TIME_FORMAT = %Y/%m/%d %H:%M:%S
I have also created a $SPLUNK_HOME/etc/slave_apps/logbinder/metadata/meta.local with the following;
[]
export=system
The format of the log is the standard WinEventLog format with the following in the Message details;
Occurred: 2016/12/01 19:00:59
I have ran btool on the Indexers, where the time parsing happens, and the the results show that the TIME_PREFIX and TIME_FORMAT are being picked up, however the value being populated into _time is the Windows Event time, not the time specified starting with Occurred.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After discussing this with Splunk Professional Services, it has been highlighted that not all time extraction happens at the indexer.
WinMon is baked into Splunk and so the time extraction for [WinEventLog:...] is assigned as early as the Universal Forwarder, and CANNOT be changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After discussing this with Splunk Professional Services, it has been highlighted that not all time extraction happens at the indexer.
WinMon is baked into Splunk and so the time extraction for [WinEventLog:...] is assigned as early as the Universal Forwarder, and CANNOT be changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no way to do this. You cannot even overwrite the metadata after the fact. You will either need Splunk to add a feature OR you will need to completely reproduce (clone and modify) the existing modular input yourself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still unable to resolve this. The data is being collected by a Universal Forwarder with the Splunk Windows TA installed, could this be causing issues?
The TA is also installed on indexers and search heads, however as stated the logbinder app is unable to change the _time value.
I also ran btool on the indexers and the results show it should be using the values from the logbinder app for this sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timeformat should be %Y/%m/%d %H:%M:%S instead of Y%/%m/%d %H:%M:%S. Also, you don't have any Heavy Forwarder in front of indexer right? Also, the Windows Event log that you collect from the servers, does it have Universal Forwarder installed or Splunk Enterprise version?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The format in the original question was a misprint by me, the app has the correct format as you stated.
No heavy forwarders, just Universal Forwarder direct to Index Cluster Master, then to Indexers.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
