Im trying to base the timestamp in the logs on the current time using DATETIME_CONFIG = CURRENT in props.conf rather than Splunk extracting the timestamp I decided the the current time would be ok.
The problem is it wont work, and my logs wont index only when I have the above set in props.conf
Has this ever worked before?, or am Missing something here?
Source: link text
The solution was to place the TZ = Australia/City in props.conf and it worked like a Charm.
The solution was to place the TZ = Australia/City in props.conf and it worked like a Charm.
Hey @Dark_Ichigo ,
i guess i am also facing similar kind of issue, if you can help.
I have log files, which is to be monitor on splunk. Those log files within them have the DATE Time constraints.
Now when i am searching in search head, it is taking the time stamp from that log file. But my requirement was just to take the time, when the log file is created or last modified.
I got the solution to set DATETIME_CONFIG= none in props.conf. But i am restricted not to make that change.
Do you have any idea on the same?
This was kicking my butt. Thank you my friend.
Yes I have, the name of the Sourcetype where its going to be ingested at
my suggestion is :
first, check your props.conf (which you had modified DATETIME_CONFIG=CURRENT ) is placed in heavy forwarder or indexer (if no heavy forwarder).
second, check your props.conf is work (you should restart splunkd after you modify props.conf; and you should save your props.conf under $SPLUNK_HOME/etc/apps//local/ directory ), use "splunk btool --debug props list" to check if your setting is work
I managed to get it working without the DATETIME_CONFIG, although it is something that was causing an issue and I think I may raise a ticket to Splunk support unless anyone else has tried it and it works then the problem isnt with Splunk itself.
The solution was to place the TZ = Australia/City and that worked like a Charm.
Thanks Though
There is a way to have Splunk take the date from the file name (or file mod time) and the time from the event - but I can't find the documentation for it...
Also, if the DATETIME_CONFIG=CURRENT isn't working, I would file a support ticket. This just seems wrong.
I have been using splunk for over 2 years now, so Iv already checked all of the above, Thanks
Its very confusing you see, I am actually forced to use the current timestamp all because Splunk wont ingest the %H:%M:S without having a Year Month or Day attached to it, I dont know where its getting those dates from to tell u the truth its very random
It works. Question - what is the full stanza in props.conf? Have you specified the source, sourcetype or host correctly in the stanza header?