Getting Data In

subseconds forwarded via LightForwarder not recognized

Jaci
Splunk Employee
Splunk Employee

I have a log event with a timestamp that includes milliseconds: 2010-07-30 11:16:43,357

If the log is loaded into Splunk on the indexer the subseconds get recognized.

If the log is forwarded via LightForwarder, subseconds are not recognized:

7/30/10 11:16:43,000 AM

How can I correct this?

Thanks in advance.

Tags (1)

jhedgpeth
Path Finder

Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N

Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior.

meno
Path Finder

We are sure there are no other rules on the LightForwarder. We also deleted all files under .../apps/learned and .../etc/users.

Subseconds still are not recognized from ALL sources.

Any more ideas how to debug / loglevel to make timestamp recognition visible ?

Thanks for helping, Meno

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Is this the case for all data or just from this source? I've tested a 4.1.x instance with the logs in index=_internal and subseconds are correctly parsed and rendered. Are there custom timestamping rules on the forwarder?

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...