Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp recognition

kcchu01
Explorer
‎11-02-2020 07:55 PM

I am trying to monitor the log file and index to Splunk with the following log format.

02/11/2020,16:09:02,test-xxxxx,DISCONNECT ....

The date format is in DD/MM/YYYY, I added the following stanza in the $SPLUNK/etc/system/local/props.conf of the indexer 

[testsourcetype]

TIME_FORMAT = %d/%m/%Y,%H:%M:%S

However the log still not able to be indexed to Splunk, are there anything I missed?

 

Thank you

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 03:40 AM

Hi @kcchu01,

Let me understand:

  • you updated your props.conf on Indexer,
  • then you restarted Splunk on Indexers,
  • your source file is changed in the meanwhile;

is this correct?

Check the last point because the props.conf is correct and located in the correct point.

But Splunk doesn't index twice a log.

For test, you could add to inputs.conf, in the stanza of the test input also 

crcSalt = <SOURCE>

in this way, changing the file name, you can index it more times.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2020 11:56 PM

Hi @kcchu01,

only one question: is there any Heavy Forwatders between the source and the Indexer?

If yes, you have to put this props.conf (also) on Heavy Forwarder.

then add to your props.conf 

TIME_PREFIX = ^

to be sure that Splunk takes the correct timestamp.

Another final question: what's the error you have?

Only one final hint. if a test installation it could be also ok, but usually it's a best practice not to put props.conf in $SPLUNK_HOME/etc/system/local, but it in an App or in Technical Add-On (TA).

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-03-2020 12:30 AM

Hi Giuseppe,

No heavy forwarder, just direct connect from UF to Indexer.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-03-2020 12:38 AM

Hi @kcchu01,

what's the error you have?

ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-03-2020 05:12 PM

No new log found after modified the props.conf

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 03:40 AM

Hi @kcchu01,

Let me understand:

  • you updated your props.conf on Indexer,
  • then you restarted Splunk on Indexers,
  • your source file is changed in the meanwhile;

is this correct?

Check the last point because the props.conf is correct and located in the correct point.

But Splunk doesn't index twice a log.

For test, you could add to inputs.conf, in the stanza of the test input also 

crcSalt = <SOURCE>

in this way, changing the file name, you can index it more times.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

kcchu01
Explorer
‎11-09-2020 05:38 PM

Hi, the log can be indexed again after following your method.

 

Thanks a lot

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2020 11:11 PM

Hi @kcchu01,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top