- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is the custom date time path on indexers n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the custom date time path on indexers not working?
I have configured custom datetime_custom.xml.
while It is working on Heavy Forwarder (HF) with props.conf on HF.
but when I deployed to indexers, Indexers are not reading the settings.
DATETIME_CONFIG=/etc/apps/testing/local/datetime.xml - ON HF WORKED FINE
DATETIME_CONFIG=/etc/slave-apps/testing/local/datetime.xml - ON INDEXERS NOT WORKING.
Do I need to change path on indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I put in the the datetime.xml in "master-apps" where it was pushed to "slave-apps" and it is working.
the props file is
splunk@#######~$ cat /opt/splunk/etc/master-apps/Index_Cluster_Config/local/props.conf
[default]
DATETIME_CONFIG = etc/slave-apps/Forwarder_Gen_and_Sec_Settings/bin/datetime.xml
With the datetime.xml being pushed to
/opt/splunk/etc/slave-apps/Index_Cluster_Config/bin/datetime.xml
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using a heavy forwarder with the indexers, the timestamps will be parsed on the heavy forwarders. If you are using Universal Forwarders with your indexers (or monitoring files that reside on the indexer itself), then the timestamps will be parsed on the indexers.
Was it really necessary to write the datetime config XML file?
Wouldn't it have been easier - and possibly more efficient - to simply use the TIME_FORMAT option in props.conf instead?
Finally, to answer your question: no, if the indexers are clustered, you must put the datetime.xml file into the master app packages that are distributed to the slave app directory of the indexer peers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iguinn , I put my datetime.xml and deployed it to slave appa. But It is not working. FYI My events are sent to http event collector services/collector end point. Is that the reason for not being parsed. What should I modify. I just need to extract time. Splunk not even detecting the timestamp before 128 characters.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is just putting timestamp as current time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xml version="1.0"
datetime
define extract="hour, minute, second, subsecond" name="_time"
text timestamp\W+\d{4}-\d{2}-\d{2}\s(\d{1,2}):(\d{2}):(\d{2}).(\d{3} )text
define
define extract="year, month, day" name="_date"
text DATE\W+(\d{4})-(\d{2})-(\d{2}) text
define
timePatterns
datePatterns
datetime
removed tags in above xml
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
