Hi Team,
I have on file (is the picture) that are unable to catch and index
i have this configuration in my input.conf
[monitor://D:\eo\contLive\logs\job*.log]
sourcetype = progress:inter
index = progress
crcSalt = <SOURCE>
disabled = false
[monitor://D:\eo\contLive\logs\*.log]
sourcetype = progress:contlive
index = progress
disabled = false
the source type progress:inter have been created in a specific TA (bellow the props.conf)
[ progress:inter ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
REPORT-intervention-status=REPORT-intervention-status
category=Structured
disabled=false
TIME_FORMAT=%d/%m/%Y %H:%M:%S.%3N
i already try to do only this input and the specific file (jobstatus.log) is not indexed
[monitor://D:\eo\contLive\logs\*.log]
sourcetype = progress:contlive
index = progress
disabled = false
Many thanks for your help
Hi,
All was correct with
[ progress:inter ]
SHOULD_LINEMERGE=true
disabled=false
TZ=Europe/Paris
TIME_FORMAT=%d/%m/%Y %H:%M:%S.%3N
Hi All,
I have a strange issue.
Since the 01 december 2018 the date format is not recognize.
My source in input.conf
[monitor://D:\eo\contLive\logs\job*.log]
sourcetype = progress:inter
index = progress
crcSalt = <SOURCE>
disabled = false
The TA of my progress:inter in the props.conf
[ progress:inter ]
SHOULD_LINEMERGE=true
disabled=false
TZ=Europe/Paris
TIME_FORMAT=%d/%m/%Y %H:%M:%S.%3N
And the
the date Month and day is not the good one.
10 December is 12 October
Many thanks
from this host, do you receive other logs fine? was the UF newly installed?
when the UF last communicated with the DS?
when you did the app push from DS to this UF, was it successfull?!?!
Hi @iventsekar
Y receive fine other log :
The UF was in 6.6.4 i just update to the last one v7.2.0 but the problem is the same
The last connection was "Few seconds" 🙂
all the modification done to the DS (input.conf) was sucessful pushed to the UF
In the splunkd.log on the UF log i can see that my config was googd and the file was found.
11-09-2018 08:43:31.448 +0100 INFO WatchedFile - Will begin reading at offset=5934250 for file='D:\eo\contLive\logs\jobStatus.log'.
but not indexed ...
Are you sure it did't get indexed? It it has an offset it did read it earlier.
Could there be something wrong with the timestamp in you logfile? (try searching way back "all Time" , but also in the future "now > +20y"
If there are timestamp issues, it also could have been deleted imidiatly if it is oudsite your accepted timerange
Hi @teunlaan
Your right !!!
My event was timestamped in september
But the correct date is today 09 November, French and Us time missmatch
are there any solution to correct this ?
Sounds like your TIME_FORMAT setting is not being applied (as that setting does seem to have the correct format). Instead, Splunk takes a guess, and mixes up days and months.
Where have you deployed the props.conf? If you ingest using a UF, the props needs to be on your indexer, to apply that TIME_FORMAT setting.
hmmm , your time_format in looks ok .
Have you tried it to insert it with the GUI (add data) , to see if it recognizes the timestamp correctly?
I guess the problem is the " | " that is connected with the time
(@ this moment I don't have access to a machine too do some test, sorry)
by looking at your props.conf, that jobStatus.log is looks like a simple/normal file.
maybe, try this.. simply remove the props.conf and see if the file gets ingested.
then, write the props.conf file line by line(after understanding each line's meaning)
we also had a similar issue. we did this above method and it worked fine.
did you check the permissions on the file? This stanza [monitor://D:\eo\contLive\logs\*.log] should catch all files ending with .log. If you want job*.log with a different sourcetype try this inputs.conf
[monitor://D:\eo\contLive\logs\*.log]
sourcetype = progress:contlive
index = progress
disabled = false
blacklist = job[\d\w]+\.log$
[monitor://D:\eo\contLive\logs\job*.log]
sourcetype = progress:inter
index = progress
crcSalt = <SOURCE>
disabled = false
Thanks @Rob2520 for your reply.
I have the same problem with the blacklist setting.
For the permission it's the same than others files (windows server, all the folder files permissions are herited)
All also try to copy this file in job2.log to check if the problem was from the quick usage of the file by my application but the job2.log was also not indexing.
😕