Solved: Date Format is not recognized

agilhomar · ‎07-03-2023

The Logs I am tring to onboard in Splunk have the following time format, "YY.MM.DD HH:MM:SS" so I made a props.conf accordingly:

[sourcetype name]
DATETIME_CONFIG =
TIME_FORMAT = %y.%m.%d %H:%M:%S
TIME_PREFIX = ^
BREAK_ONLY_BEFORE_DATE = true
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false

this config was the one created by splunk when I parsed the Logs as an Upload, there were the dates properl readen. When I deploy this in production the sourctype name exists but does nothing to parse it.

Also, the year, month and day are read 2 times meaning that the hour in the logs is the date. For example, today all the logs are writen in the 23:07:03 hour. I also tried to chande datime_config to current but is also not working. Nothnig that I change in props file is taken into acount in prod. For gaining further commpreension of this case the Logs are Created in the DMZ and sent to the index throug a Deployer in the DMZ. Where could be the problem? Why is it props.conf working on the logs when uploaded and not when sent through a UFW?

agilhomar · ‎07-04-2023

Solved: props.conf was in the wrong directory deployed. That is why it had no effect to change it.

View solution in original post

agilhomar · ‎07-04-2023

Solved: props.conf was in the wrong directory deployed. That is why it had no effect to change it.

gcusello · ‎07-04-2023

Hi @agilhomar ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo · ‎07-03-2023

Hi

Can you send a sample log event?

You said that you are collecting logs on UF and then send those via Deployer Server (?). If this is true have you set that props.conf to your DS as it is acting like intermediate forwarder before indexers? You also must restart DS after you have change that props.conf on it. Or are you meaning that you have configured inputs.conf for your UF on DS and then send those to UF? If that then you should also add props.conf into first full enterprise instance from UF to IDX and also do a restart for that instance. I suppose that this is your situation as yo shouldn't use DS as IHF also. If you are needing separate IHF for DMZ log just set e.g. min two separate HF for that purpose (don't you DS as it).

r. Ismo

PickleRick · ‎07-03-2023

There are several things going on here...

1. "the Logs are Created in the DMZ and sent to the index throug a Deployer in the DMZ". Deployer is a component used for managing search-head cluster so I'm pretty sure that even if you have a search-head cluster, it has nothing to do with your ingestion process.

2. The most important bit - where are you deploying the settings - on which component? (and in which file(s)).

3. Watch out for letter case - DATETIME_CONFIG and datetime_config are two different option names. One is valid, other is not.

agilhomar · ‎07-03-2023

Fisrst of all thank you very much for the quick response. I will try to clarify every aspect that you mention.

1. The logs are created in the DMZ and sent to a HFW there. Then they are sent from the HFW to the index cluster. The HFW acts as a forwarder manager for the DMZ Hosts.

2. In this HFW under deploying-apps I have the Forwarder Apps. There for every specific app, I have the inputs.conf and the props.conf both of them are in the following path $ForwarderAppName/default. In inputs.conf I set the monitor stanzas and in props.conf I set the sourcetypes config. I have also Serverclasses that bound my Forwarder Apps with the Host I want to get the logs of.

3 In the Config file I used the valid one: DATETIME_CONFIG

isoutamo · ‎07-03-2023

So you have Deployment Server acting as IHF (intermediate heavy forwarder) too. This is not a recommended configuration! You should have separate IHF or even min two of them between your UFs and indexers.

Until you could fix this you must install all those props.conf also into DS into own apps. You cannot use DS to deploy these into itself! That didn't end nice if you try it 😞

props.conf (and other too) are handled into 1st full enterprise instance (which is in your case DS). Rest instances only forward those or index those. They don't do anything else for events. I suppose that you haven't installed props.conf into DS under separate app into $SPLUNK_HOME/etc/apps/<your props app>. Just install those there (or preferable way is add a new pair of IHF and use those) and then restart it.

gcusello · ‎07-03-2023

Hi @agilhomar,

could you share a sample of your logs?

Then where did you located the props.conf? have you intermediate Heavy Forwarders?

Ciao.

Giuseppe

agilhomar · ‎07-03-2023

Hi Giuseppe,

The logs are like this (2 events):

23.06.27 09:19:30 [id:1234567]ERROR: Fail to attach shared memory:[RULE]

23.06.27 09:19:30 [id:1234567]ALERT-:condition[AppBase]

Thank you very much for your quick response!

Agil

Date Format is not recognized

props.conf

sourcetype

universal forwarder

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?