Getting Data In

DATETIME_CONFIG issue

Dark_Ichigo
Builder

Im trying to base the timestamp in the logs on the current time using DATETIME_CONFIG = CURRENT in props.conf rather than Splunk extracting the timestamp I decided the the current time would be ok.

The problem is it wont work, and my logs wont index only when I have the above set in props.conf

Has this ever worked before?, or am Missing something here?

Source: link text

0 Karma
1 Solution

Dark_Ichigo
Builder

The solution was to place the TZ = Australia/City in props.conf and it worked like a Charm.

View solution in original post

Dark_Ichigo
Builder

The solution was to place the TZ = Australia/City in props.conf and it worked like a Charm.

sarvesh_11
Communicator

Hey @Dark_Ichigo ,
i guess i am also facing similar kind of issue, if you can help.
I have log files, which is to be monitor on splunk. Those log files within them have the DATE Time constraints.
Now when i am searching in search head, it is taking the time stamp from that log file. But my requirement was just to take the time, when the log file is created or last modified.

I got the solution to set DATETIME_CONFIG= none in props.conf. But i am restricted not to make that change.
Do you have any idea on the same?

0 Karma

pipegrep
Path Finder

This was kicking my butt. Thank you my friend.

0 Karma

Dark_Ichigo
Builder

Yes I have, the name of the Sourcetype where its going to be ingested at

0 Karma

dmlee
Communicator

my suggestion is :

first, check your props.conf (which you had modified DATETIME_CONFIG=CURRENT ) is placed in heavy forwarder or indexer (if no heavy forwarder).

second, check your props.conf is work (you should restart splunkd after you modify props.conf; and you should save your props.conf under $SPLUNK_HOME/etc/apps//local/ directory ), use "splunk btool --debug props list" to check if your setting is work

Dark_Ichigo
Builder

I managed to get it working without the DATETIME_CONFIG, although it is something that was causing an issue and I think I may raise a ticket to Splunk support unless anyone else has tried it and it works then the problem isnt with Splunk itself.

The solution was to place the TZ = Australia/City and that worked like a Charm.

Thanks Though

0 Karma

lguinn2
Legend

There is a way to have Splunk take the date from the file name (or file mod time) and the time from the event - but I can't find the documentation for it...

Also, if the DATETIME_CONFIG=CURRENT isn't working, I would file a support ticket. This just seems wrong.

0 Karma

Dark_Ichigo
Builder

I have been using splunk for over 2 years now, so Iv already checked all of the above, Thanks

Its very confusing you see, I am actually forced to use the current timestamp all because Splunk wont ingest the %H:%M:S without having a Year Month or Day attached to it, I dont know where its getting those dates from to tell u the truth its very random

0 Karma

lguinn2
Legend

It works. Question - what is the full stanza in props.conf? Have you specified the source, sourcetype or host correctly in the stanza header?

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...