Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- linebreaking question - props.conf change at searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
linebreaking question - props.conf change at searchhead, forwarder or indexer?
I want to correct the linebreaking for my secure.txt file.
Do I need to configure props.conf at the searchhead, indexer or universal forwarder?
I have a universal forwarder which is reporting timestamp parsing issues:
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.212 -0400 INFO TcpOutputProc - Connected to idx=10.160.234.225:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi edchow,
When using a universal forwarder, parsing is done at the indexer, so that's where you need to configure it. Alternatively, you might use a heavy forwarder.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
