Timestamp issue

nawazns5038 · ‎04-09-2018

Hi,

I have configured inputs and props on a heavy forwarder and there is same stanza of sourcetype with no parameters under the sourcetype in the search head.

Will the empty stanza in the search head cause a conflict ?

I see that we are facing timestamp recognition issue while indexing. Splunk isn't taking the right values, even though the time prefix and the timestamp format have been checked fully with the data before on boarding.

Isn't Splunk unable to keep up with data ? we are indexing lots of .gz files. at one time

skoelpin · ‎04-09-2018

Perhaps you could post some sample data and your props.conf so we can confirm its correct? This should also be on your indexer(s).

niketn · ‎04-09-2018

@nawazns5308, you can use btool debug command to find out which config file is being used for a partcular configuration being applied.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

deepashri_123 · ‎04-09-2018

Hey@nawazns5038,

Adding empty stanza in search head shouldn't cause a conflict as there are parameters that go in search head as well.
But the configurations should be added on the indexers.
Please refer this doc for details:
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Let me know if this helps!!

Timestamp issue

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?