Getting Data In

Incorrect Timestamp

damo66a
Explorer

hello, 

 

I have some xml files coming in which is working fine, however, despite setting the TIME_FORMAT to %d/%m/%Y %H:%M:%S it is still putting some events into indexes with MM/DD/YYYY. 

 

the time format is set in a props.conf file for my input but it appears to me ignoring it. 

 

I've also noticed that despite me telling it to use a particular source type its making up its own that isnt in my instance. could that be the reason? if so why?

 

any ideas?

 

thanks in advance

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The wrong sourcetype will prevent Splunk from using any of the settings for the expected sourcetype.  Fix that and TIME_FORMAT should work.  Share your inputs.conf settings if you need help with the sourcetype setting. 

Also, make sure your props.conf file is in the right place (indexer or HF) and the instance was restarted after the file was changed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

damo66a
Explorer

i think perhaps i may have done this wrong then. 

 

my inputs.conf is as follows:

[fschange:E:\Logs\*]
pollPeriod = 60
signedaudit=false
fullEvent=true
sendEventMaxSize=-1

index = ccure_sitedata
sourcetype = ccure_site_journal

looking at sourcetypes in my cloud instance, the above mentioned sourcetype does have a TIME_FORMAT flag set. 

as part of the app i have also done a props.conf file but presumably from what you have said, that is incorrect? (im using splunk cloud so presumably i cant edit the props file)

props.conf

TIME_FORMAT = %d/%m/%Y %H:%M:%S

 

i am fairly new at this so please forgive me for the formatting of these. 

0 Karma

damo66a
Explorer

i have been doing some more testing and structured the inputs.conf file as per splunk docs but the input is completely ignoring the fact that i'm telling it to use a particular source type and as such ignoring the format behind that. 

 

from what i can tell its only marking the first event (or 2) with the required sourcetype and then stating xml as the sourcetype for the rest when there actually isn't a sourcetype named that. 

 

what am i doing wrong? i've followed the documentation

0 Karma

erika_horton
Explorer

I presume you are running this from a UF or HF - do you have access to the forwarder to run a btool?
I would start by doing btool on the input to verify the sourcetype configuration isn't getting clobbered there, then I would also btool the props of the sourcetype to see if the time format is correct.

Directions: https://docs.splunk.com/Documentation/Splunk/8.1.3/Troubleshooting/Usebtooltotroubleshootconfigurati...

0 Karma

damo66a
Explorer

i have tried to use the btool and its not jumping out with any errors or anything. to be fair im not 100% im doing it right. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've never experienced the sourcetype changing midstream like that.  Do you have any transforms installed that may be setting the sourcetype based on the data it sees?

---
If this reply helps you, Karma would be appreciated.
0 Karma

damo66a
Explorer

i dont beleive i have any transforms. certainly not any i've put in myself.

 

I have a props.conf that contains the time format as stated above. other than that, nothing. 

0 Karma

damo66a
Explorer

any ideas anyone?

0 Karma

damo66a
Explorer

no one?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...