Re: How do I configure my heavy forwarders to pars...

tkwaller · ‎06-24-2016

Hello

I'm having an issue with timestamping for my WinRegistry data.
I don't know whether by design, or for some other reason, the timestamp in the logs are as such:

11/02/11154 14:24:53.046

which of course is interpreted incorrectly. These Universal Forwarders forward to a cluster of Heavy Forwarders where an app SHOULD set the timestamp:

[WinRegistry]
DATETIME_CONFIG = CURRENT

but this does not seem to be the case as I have logs that go back to 1969 and forward to 2032.

Any ideas on where the issue may be?

Thanks for the thoughts

woodcock · ‎06-24-2016

Your sourcetype must match EXACTLY; does it? You must restart your Splunk instance on the server where you changed this setting.

I would not use this approach, though; I would use SEDCMD to rewrite the timestamp with this:

s/^(\d+\/\d+)\/1115/\1\/2014/

You will have to fix this every New-Year's Eve (or until you can get the log writer/formatter fixed).

tkwaller · ‎06-24-2016

Yeah they match, in the app on the UF its:
[source::....winregistry]
sourcetype = WinRegistry

in the props on the HF the stanza is:
[WinRegistry]
DATETIME_CONFIG = CURRENT

woodcock · ‎06-24-2016

Did you restart splunk instances?

tkwaller · ‎06-27-2016

Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.

tkwaller · ‎07-13-2016

I actually have a webex with support on this today. I believe that there's an issue with linebreaking and its inserting values where they should not be and its affecting the timestamp.
Thanks for looking at it!

How do I configure my heavy forwarders to parse the timestamp for a WinRegistry sourcetype?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!