I have the following event being sent from a Universal Forwarder (UF) syslog server to a standalone instance of Splunk:
4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityc5e81075-f14f-11e3-9b1e-123478563412/cd4c5993-11b0-11e4-92a9-123478563412134.82.79.10S-1-5-21-2136110353-913448559-1712093940-13349falseBUCKNELLleisnhth-aSecurityFile00000000000466;00;015ce358;514e6b60(netspace_departments);/isr/public/www2/bu_only/AICT/images/oversize/IRM195.jpg%%4423 %%1538 2080Read Attributes; Read ACL;
The data is obviously in an XML format. I created a subdirectory within $SPLUNK_HOME/etc/deployment-apps/IA-naaudit and in the default dir I have an inputs.conf:
[monitor:///var/log/rsyslogs/Netapp/audit_svm_netspace_last.xml]
index = netapp
sourcetype = audit
_TCP_ROUTING = dev_splunk
and an outputs.conf
[tcpout:dev_splunk]
server = sptest:9996
I manually replicated these dirs and files on the UF in /opt/splunkforwarder/etc/apps/
I am now receiving the event data shown above.
On the standalone instance I created the dir $SPLUNK_HOME/etc/deployment-apps/TA-naaudit and in the local dir I created
props.conf:
[netapp]
KV_MODE = xml
TIME_PREFIX = \ntscripts\<
DEST_KEY = queue
FORMAT = nullQueue
Here is my problem: from the event you can see that it should have the timestamp "2017-03-27T16:18:55.218021000Z". When I do a search on index=netapp this event (along with a gazillion others) it gets the time stamp "3/27/17 12:40:40.000 PM" which is incorrect.
Also, I'm trying to drop the events with the user "ntscripts" but they show up in the search as well.
Can you tell me where I'm going wrong?
Thanks,
Mike
You need this setting, too:
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%z
The directory $SPLUNK_HOME/etc/deployment-apps is for storing the deployment app that you push if your current server is a deployment server. Since you copied the app IA-naaudit with inputs.conf manually on UF, that was fine. You need to place the $SPLUNK_HOME/etc/deployment-apps/TA-naaudit in $SPLUNK_HOME/etc/apps/TA-naaudit directory, place from where your standalone Splunk instance will read/load the configuration.
Thanks. I used btool and found I wasn't loading that particular props.conf file.