Solved: Timestamp in props.conf

splunkingsplun1 · ‎01-30-2014

My event looks like this:

Jan 30 10:32:43 192.168.1.1 Netdefender: 30-01-2014 02:54:05 WARNING

We would like to use the second timestamp for our events. We have configured props.conf in /local like this:

[netdefender]
TIME_PREFIX = \w+\s\d+\s\d{2}:\d{2}:\d{2}\s\d+\.\d+\.\d+\.\d+\s\w+\:\s
MAX_TIMESTAMP_LOOKAHEAD = 44

We are still seeing index time as the timestamp. What are we missing?

kristian_kolb · ‎01-30-2014

The config below should work.

[netdefender]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S

Further things to check:

The sourcetype name is correct?

You are aware that this only affects new events coming in?

You have restarted Splunk?

/K

kristian_kolb · ‎01-30-2014

The config below should work.

[netdefender]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S

Further things to check:

The sourcetype name is correct?

You are aware that this only affects new events coming in?

You have restarted Splunk?

/K

splunkingsplun1 · ‎01-30-2014

Thank you that did what we needed!

Timestamp in props.conf