Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Edit of Time_format in props.conf on Cluster Master does not strike through

yAlff
Path Finder
‎08-14-2013 12:03 AM

Hello Community,

My Setup is 1 SearchHead, 1 Cluster Master, 2 Indexers and a bunch of Forwarders.
A logfile looks something like that:

<134>Aug 14 07:46:04 pm-1234

With pm-1234 as the host name. So Splunk does interpret the pm in the host name as past morning. In the example the interpreted time would be 19:46:04, but it it correctly 07:46:04 AM.

Yesterday, I added to the sourcetype in props.conf on Cluster Master following line:

TIME_FORMAT=%b %d %H:%M:%S

Followed by command

splunk apply cluster-bundle

But as I looked this morning, the new logfile entries are still interpreted false.

What did I forget?

Note: If I ingest the data and define another sourcetype for the data, where I set the TIME_FORMAT right, the timestamp is interpreted correctly; but this is not an option for me; it was only for testing. But if I edit this sourcetype in props.conf, I don't see that the change was successful.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yAlff
Path Finder
‎08-20-2013 07:06 AM

Ok, I had to use

TIME_PREFIX=<134>

now it works! Fine 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yAlff
Path Finder
‎08-20-2013 07:06 AM

Ok, I had to use

TIME_PREFIX=<134>

now it works! Fine 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...