Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time format for log

justindett
Path Finder
‎02-15-2021 04:05 AM

Hi,

I am struggling with some logs in a specific directory. They just don't seem to be ingested into splunk.

If I put a normal .log file in with a standard time format it populates just fine.

But these logs have the following format:

O", "message": "Test logging" }
{ "time": "2020-12-07 09:46:52.7940", "threadId": "30", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-07 12:14:34.7402", "threadId": "53", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-07 13:48:24.8650", "threadId": "12", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-08 10:33:40.0607", "threadId": "68", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-08 11:53:56.7778", "threadId": "51", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-09 08:42:53.6465", "threadId": "133", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-09 10:35:44.0103", "threadId": "152", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-11 10:38:27.0194", "threadId": "113", "level": "INFO", "message": "Test logging" }
{ "time": "2020-12-11 12:18:25.0442", "threadId": "6", "level": "INFO", "message": "Test logging" }


And nothing comes into splunk at all. I have commented out all the timestamp options in the props.conf to force it to use default manner ,but still nothing at all.

Is it related to a setting that should be in the props.conf? 

Any assistance would be appreciated.

Thanks

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-15-2021 04:50 AM

Hi @justindett,

Did try searching these logs with "All Time"? I don't think a way that Splunk does not ingest, most probably ingesting with wrong timestamp. For exapmle, Jul 12nd, Aug 12nd, Sep 12nd and Nov 12nd ...

Maybe you should update your TIME_FORMAT in your props.conf will work. If you can share your setting I will try to help. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

justindett
Path Finder
‎02-15-2021 05:04 AM

Hi,

I selected all time and still nothing. The props.conf is as follows as per manjunathmeti

 

[sanport:dcm]
SHOULD_LINEMERGE = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS = time
0 Karma
Reply

manjunathmeti
Champion
‎02-15-2021 04:14 AM

hi @justindett,

You can use INDEXED_EXTRACTIONS to parse these logs with JSON events. Set below configs in props.conf on the forwarder.

[sourcetype_name]
SHOULD_LINEMERGE = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
TIMESTAMP_FIELDS = time

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

justindett
Path Finder
‎02-15-2021 04:22 AM

Thanks, I'll give that a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...