All,
So here is my log -
date="[22/Jun/2016:17:25:05 +0000]" xff="166.170.220.3"
It's well formated. I am just not sure how to handle the ="[ component?
Like this:
props.conf:
TIME_PREFIX = date="\[
TIME_FORMAT = %d/%b/%Y:%H:%M:%s %z
MAX_TIMESTAMP_LOOKAHEAD = 26
Like this:
props.conf:
TIME_PREFIX = date="\[
TIME_FORMAT = %d/%b/%Y:%H:%M:%s %z
MAX_TIMESTAMP_LOOKAHEAD = 26
Thanks! Worked like a charm.
Hi daniel333, You can use TIME_PREFIX props setting to tell splunk the pattern that precedes the timestamp, i.e.
TIME_PREFIX = date="\[
You can then set the MAX_TIMESTAMP_LOOKAHEAD to match the expected number of characters, i.e.
MAX_TIMESTAMP_LOOKAHEAD = 27
This should be effective to cause splunk to correctly assign a time to the event, but if not you can use TIME_FORMAT and work out the strftime setting that matches the timestamp.
Please let me know if this answers your question!
You could edit the props.conf's following configs to handle that:
TIME_PREFIX =
MAX_TIMESTAMP_LOOKAHEAD =
TIME_FORMAT =
These can be edited under $SPLUNK_HOME/etc/system/local OR in an app under $SPLUNK_HOME/etc/apps depending on your setup.