Getting Data In

Why is the custom date time path on indexers not working?

ankithreddy777
Contributor

I have configured custom datetime_custom.xml.

while It is working on Heavy Forwarder (HF) with props.conf on HF.

but when I deployed to indexers, Indexers are not reading the settings.

DATETIME_CONFIG=/etc/apps/testing/local/datetime.xml - ON HF WORKED FINE
DATETIME_CONFIG=/etc/slave-apps/testing/local/datetime.xml - ON INDEXERS NOT WORKING.

Do I need to change path on indexers?

0 Karma

bheitzman_con
Engager

I put in the the datetime.xml in "master-apps" where it was pushed to "slave-apps" and it is working.

the props file is
splunk@#######~$ cat /opt/splunk/etc/master-apps/Index_Cluster_Config/local/props.conf
[default]
DATETIME_CONFIG = etc/slave-apps/Forwarder_Gen_and_Sec_Settings/bin/datetime.xml

With the datetime.xml being pushed to
/opt/splunk/etc/slave-apps/Index_Cluster_Config/bin/datetime.xml

0 Karma

lguinn2
Legend

If you are using a heavy forwarder with the indexers, the timestamps will be parsed on the heavy forwarders. If you are using Universal Forwarders with your indexers (or monitoring files that reside on the indexer itself), then the timestamps will be parsed on the indexers.

Was it really necessary to write the datetime config XML file?
Wouldn't it have been easier - and possibly more efficient - to simply use the TIME_FORMAT option in props.conf instead?

Finally, to answer your question: no, if the indexers are clustered, you must put the datetime.xml file into the master app packages that are distributed to the slave app directory of the indexer peers.

0 Karma

ankithreddy777
Contributor

Hi Iguinn , I put my datetime.xml and deployed it to slave appa. But It is not working. FYI My events are sent to http event collector services/collector end point. Is that the reason for not being parsed. What should I modify. I just need to extract time. Splunk not even detecting the timestamp before 128 characters.

0 Karma

ankithreddy777
Contributor

It is just putting timestamp as current time.

0 Karma

ankithreddy777
Contributor

xml version="1.0"
datetime
define extract="hour, minute, second, subsecond" name="_time"
text timestamp\W+\d{4}-\d{2}-\d{2}\s(\d{1,2}):(\d{2}):(\d{2}).(\d{3} )text
define
define extract="year, month, day" name="_date"
text DATE\W+(\d{4})-(\d{2})-(\d{2}) text
define
timePatterns
datePatterns
datetime

removed tags in above xml

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...