Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timestamp issue

nawazns5038
Builder
‎04-09-2018 05:28 PM

Hi,

I have configured inputs and props on a heavy forwarder and there is same stanza of sourcetype with no parameters under the sourcetype in the search head.

Will the empty stanza in the search head cause a conflict ?

I see that we are facing timestamp recognition issue while indexing. Splunk isn't taking the right values, even though the time prefix and the timestamp format have been checked fully with the data before on boarding.

Isn't Splunk unable to keep up with data ? we are indexing lots of .gz files. at one time

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-09-2018 10:29 PM

Perhaps you could post some sample data and your props.conf so we can confirm its correct? This should also be on your indexer(s).

0 Karma
Reply

niketn
Legend
‎04-09-2018 08:31 PM

@nawazns5308, you can use btool debug command to find out which config file is being used for a partcular configuration being applied.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

deepashri_123
Motivator
‎04-09-2018 06:14 PM

Hey@nawazns5038,

Adding empty stanza in search head shouldn't cause a conflict as there are parameters that go in search head as well.
But the configurations should be added on the indexers.
Please refer this doc for details:
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Let me know if this helps!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...