- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have log files which have timestamp format like
04/10/2012 07:50:09 - dd/mm/yyyy HH:MM:SS
but indexer thinks it's a mm/dd instead of dd/mm. Logs are monitored by forwarder which has a props.conf
[source::E:\Logging\]
TIME_FORMAT = %d/%m/%Y %H:%M:%S
But still nothing changed. Data with timestamp, for example 04/10/2012 I can find for April, but not for October. Any suggestions?
Splunk forwarder version - 4.3.4, splunk indexer - 4.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The TIME_FORMAT needs to specified in your props.conf. Furthermore, it is relevant to the Splunk server that does the parsing. In other words, if your using a universal forwarder, you need to edit your props.conf on the indexer.
The alternative is to use a heavy forwarder to do parsing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The TIME_FORMAT needs to specified in your props.conf. Furthermore, it is relevant to the Splunk server that does the parsing. In other words, if your using a universal forwarder, you need to edit your props.conf on the indexer.
The alternative is to use a heavy forwarder to do parsing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, got it. Will try to configure the indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and one more thing - this issue started from October only, for last months I didn't have such problem
