Hello
I am trying to extract a timestamp from this type of events. Here, 04 is the day of month and 12 is the month, Dec
on the search head, these events currently appear as 12th April
[04/12/2018 10:16:04] CAUAJM_I_40245 EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: esysprod_NOA_5_min_box
[04/12/2018 10:26:03] CAUAJM_I_40245 EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: esysprod_EX900 MACHINE:
It looks pretty straightforward, but I cannot figure out what I am doing wrong.
The source type for these events is called : "autosys_events_prod"
So, I created a props.conf as below, and located it in the app that gets distributed from my deployment server:
I also verify on the server where the log is created that the props.conf file is updated, and I also restart Splunk on the Universal Forwarder.
[splunk@msplunkutil01 local]$ cat props.conf
[autosys_events_prod]
TIME_PREFIX = ^[
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 19
I have tried different time prefix(es) without success.
How do I know if my props.conf is actually being used?
Everything I have tried seems to have no effect so far.
What is the best way to troubleshoot this ?
Thank you for your help in advance.
it is the first time I am trying to extract a timestamp from an event, so I might be doing something wrong.
Blaise
Hello
I have finally resolved the issue, the problem was I have a distributed environment ...
so like Prakash suggested, the props.conf needs to be on the indexers, where the timestamp extraction is done.
I have completely removed the props.conf from the universal forwarder server, where I only left the inputs.conf to define the inputs.
Thank you for all your help
Blaise