Getting Data In

Why is the timestamp in Splunk different from the actual time in the indexed Catalina log?

New Member

Hello,

I'm using Splunk 6.2.3 and have some problems and questions.
First of all, I'd like to describe the problem I actually have:

I filled Splunk with a larger catalina logfile and saw that Splunk reads a different timestamp than the log actually has.
Here is the line where Splunk may begins to read:

1.3.6.1.4.1.20742.3.5.1.2.1.x.x = XX
[15:35:10,560 - Thread-77 (HornetQ-client-factory-threads-887115841-1086694719)] [CONN] DEBUG - TrapProcessor:110 - [...]

When I use the list view, Splunk shows me the time: 03.03.15, 15:34:22,745
However, the date is correct, only the time isn't.

Further questions are:

  1. Where may I change it, that Splunk asks me to show all "257" lines. Which configs and stanzas do I have to change to get a different value here?
  2. When I'm searching for any search term, Splunk doesn't show me the result in the first line of the result. Sometimes it's in the third line, sometimes in the first. How does splunk decide which line is the first?
  3. When I'm using Splunk forwarders, do I always have to configure the input in the inputs.conf on the server side?

So, these are a few questions, but I hope you can help me.

0 Karma
1 Solution

Esteemed Legend

You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.

You need to create a props.conf entry that tells it where the timestamp is and, more importantly, what it looks like; this is your problem with the date/time:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition

Also, you have not told it what constitutes a single event inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents

View solution in original post

0 Karma

Esteemed Legend

You have not told Splunk how to handle your logfile and it is not doing a good job on it's own.

You need to create a props.conf entry that tells it where the timestamp is and, more importantly, what it looks like; this is your problem with the date/time:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition

Also, you have not told it what constitutes a single event inside your logfile; this is the problem with your "sometimes it is in the 3rd line" problem:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents

View solution in original post

0 Karma

New Member

Thanks for your answer!
I'll try it out and check, wheater I solved it.

But another problem I'm having is, that the the direct file upload doesn't work for me.
Splunk seems to upload the file until 100% but then it freezes and no progress is visible.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!