Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is timestamp not selecting proper field in syslog data after upgrade to 7.3.3?

scottrunyon
Contributor
‎12-10-2019 08:26 AM

My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour.
Data format is Month Date Time sent from command system, system name, 1, Logon Time
Examples
Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00
Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00
Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00

I want to use Logon Time as the event time not the time it was received.

This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue.

props file contains
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z
TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s
category = Custom
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 256
TIMESTAMP_FIELDS =

Any suggestions on what happened?

Scott

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-10-2019 09:29 AM

Try removing the blank DATETIME_CONFIG = setting.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-10-2019 09:29 AM

Try removing the blank DATETIME_CONFIG = setting.

View solution in original post

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!