Re: linebreaking question - props.conf change at s...

edchow · ‎10-07-2012

I want to correct the linebreaking for my secure.txt file.

Do I need to configure props.conf at the searchhead, indexer or universal forwarder?

I have a universal forwarder which is reporting timestamp parsing issues:

10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:56:31 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.387 -0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previ
ous event (Tue Jul 10 11:58:27 2012). Context: FileClassifier /opt/log/network_syslog1/secure.txt
10-07-2012 09:16:09.212 -0400 INFO TcpOutputProc - Connected to idx=10.160.234.225:9997

echalex · ‎10-07-2012

Hi edchow,

When using a universal forwarder, parsing is done at the indexer, so that's where you need to configure it. Alternatively, you might use a heavy forwarder.

linebreaking question - props.conf change at searchhead, forwarder or indexer?

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)