Solved: Why is timestamp not selecting proper field in sys...

scottrunyon · ‎12-10-2019

My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour.
Data format is Month Date Time sent from command system, system name, 1, Logon Time
Examples
Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00
Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00
Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00

I want to use Logon Time as the event time not the time it was received.

This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue.

props file contains
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z
TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s
category = Custom
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 256
TIMESTAMP_FIELDS =

Any suggestions on what happened?

Scott

FrankVl · ‎12-10-2019

Try removing the blank DATETIME_CONFIG = setting.

View solution in original post

FrankVl · ‎12-10-2019

Try removing the blank DATETIME_CONFIG = setting.

Why is timestamp not selecting proper field in syslog data after upgrade to 7.3.3?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!