Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is timestamp not selecting proper field in syslog data after upgrade to 7.3.3?

scottrunyon
Contributor
‎12-10-2019 08:26 AM

My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour.
Data format is Month Date Time sent from command system, system name, 1, Logon Time
Examples
Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00
Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00
Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00

I want to use Logon Time as the event time not the time it was received.

This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue.

props file contains
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z
TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s
category = Custom
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 256
TIMESTAMP_FIELDS =

Any suggestions on what happened?

Scott

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-10-2019 09:29 AM

Try removing the blank DATETIME_CONFIG = setting.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎12-10-2019 09:29 AM

Try removing the blank DATETIME_CONFIG = setting.

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!