Every month 1st, I am facing the below issue.
Splunk stopped indexing on 1st of every month
For ex : Feb 1st it stopped indexing & it retrieved on 2nd, and on March 1st stopped and indexing again on 3rd march.
Look like splunk recognizing logs as MM/DD though DD/MM in the log
I tried to add "%d/%m/%Y %H:%M:%S" in props.conf but still no luck
Thanks for the reply.
Yes it is forwarder, even I have add the below stanza to props.conf file (In deployment server) which did not work, even changed in all indexers $SPLUNK_HOME$/system/local/props.conf as well