Getting Data In

linebreaking question - props.conf change at searchhead, forwarder or indexer?

edchow
Explorer

I want to correct the linebreaking for my secure.txt file.

Do I need to configure props.conf at the searchhead, indexer or universal forwarder?

I have a universal forwarder which is reporting timestamp parsing issues:

10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.212 -0400 INFO TcpOutputProc - Connected to idx=10.160.234.225:9997

Tags (1)

echalex
Builder

Hi edchow,

When using a universal forwarder, parsing is done at the indexer, so that's where you need to configure it. Alternatively, you might use a heavy forwarder.

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...