We have data coming into Splunk that looks like:
DATA_FEED[00ZA044]:08/07 06:59:59 Got 'ABCDL NO PENDING TRANSACTIONS FOUND FOR REQUEST ' in file - LaLaStuff
DATA_FEED[00ZA044]:08/07 06:59:59 Queued time was 1.02, starting up a slave.
DATA_FEED[64946350]:08/07 06:59:59 Connecting to DB.
DATA_FEED[00ZA031]:08/07 06:59:59 received 'get_pending_orders:0038:12345678901'
The date/time is being parsed incorrectly. Splunk is reading the date for the above as 07/06/2008 which is really screwing things up.
We then modified the props and added:
TIME_FORMAT = %m/%d %H:%M:%S
Bounced all the searchheads and indexers with the new props. Still coming in wrong.
Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.
props.conf
[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20
Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/Kristian
Thanks. Not getting errors. Just being parsed incorrectly.
Search heads will not need any updating - timestamp parsing is a pure index-time operation. Consider looking in splunkd.log for errors related to this (the timestamp processor is generally pretty good at throwing errors in the log).
Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.
props.conf
[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20
Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/Kristian
I use it and it works great for the new indexed data!! Am i doing anything wrong without knowing!!!
Thanks.
This works great.
TIME_FORMAT=%m/%d %H:%M:%S
TIME_PREFIX=\]:
Pushed the updated props.conf to the appropriate places. It did NOT require a restart or a refresh.
Unfortunately, linu1988, time recognition isn't one that can be hit with a debug/refresh. That one requires the Indexer restarts as kristian.kolb mentioned.
No, you can't use the /debug/refresh endpoint for this. Any changes to settings affecting index-time behaviour requires a restart to take effect.
Don't use the full prefix the answer posted is correct, As time prefix only needed to be unique just before the timestamp starts. And FYI if you want the configs to update without restart you can use the below link, new changes will be done.
_http://server:8000/en-US/debug/refresh
expect some of the configs minor changes can be done with it 🙂
Thanks. I will give that a try. Can't bounce our indexers until tonight (too many users).
I am also looking at: TIME_PREFIX = ^[^\]]+\]\:
Thanks for the link. Very useful.