Re: _time error

asncari · ‎02-01-2024

Good afternoon,
I have a very strange problem. I have a log with these 2 events:

01/02/2024 13:06:16 - SOLISP1 IP: 10.229.87.80 USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
01/02/2024 13:00:54 - GGCARO3 IP: 10.229.87.80 USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

The date format in the event is dd/mm/yyyy
Well, splunk indexes one of them in January and another in February. We have tried editing the props file as follows:

[default]
TIME_PREFIX = ^
TIME_FORMAT = %d/%m/%Y %H:%M:%S

Anyone know what might be happening?

asncari · ‎02-01-2024

I'll test it and tell you.

Thx Giuseppe

gcusello · ‎02-01-2024

Hi @asncari,

probaly the options aren't applied to your sourcetype, please add them in a sourcetype, not to default, in props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %d/%m/%Y %H:%M:%S

Ciao.

Giuseppe

asncari · ‎02-01-2024

Hi Giuseppe,

We have configured the props.conf with the sourcetype and the behavior is the same.

Thx Giuseppe.

gcusello · ‎02-01-2024

hi @asncari,

there's no reason for this behavior!

Please, make a last try: remove TIME_PREFIX, restart Splunk and try again.

Ciao.

Giuseppe

asncari · ‎02-01-2024

Hi, @gcusello

Without the props file it is how we originally had it and that is why I added it.

I am going to open a case with Broadcom support because this doesn't make sense.

If we can solve it, I will write it here so that it can be of use to other people.

gcusello · ‎02-01-2024

Hi @asncari,

don't remove props.conf: leave it with

[<your_sourcetype>]
TIME_FORMAT = %d/%m/%Y %H:%M:%S

Otherwise open a case to Splunk Support, sending them a diag.

Ciao.

Giuseppe

_time error

props.conf

Splunk and Fraud

Build Your First SPL2 App!

Splunk and Palo Alto - Updates to Official Splunkbase Support