Hey guys,
I'm a new splunk user and my events are not sorting correctly.
I have data coming from a UF that looks like this:
11/22/2005 17:28pm ****
Connecting to ports, Please wait....
2005/11/22 17:29:07.789 TUE. JOURNAL FILE RECORD ID 16341
2005/11/22 17:29:19.091 TUE. JOURNAL FILE RECORD ID 16342
2005/11/22 17:29:28.334 TUE. JOURNAL FILE RECORD ID 16343
Logging out12/13/2005 10:00am ****
And I want splunk to sort the events based on the date with the format dd/mm/yyyy, instead, splunk automatically made my events split on the yyyy/mm/dd.
First off, since this is a UF, do I need to add a props.conf on the UF and create a line like this? BREAK_ONLY_BEFORE = [0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9]
Secondly, when I add new data through the splunk add data wizard, I can separate my events correctly from there, but it doesn't affect the previously indexed events. If some amount of data is already indexed, and I change the props.conf will it not go back and reindex based on the updated props.conf or is it forever stuck parsed incorrectly?
Thirdly, this is a sandbox server, and I "cleaned" out one of my indexes. I want to readd the data, and the data is still sitting in the same spot as before, but Splunk doesn't recognize it. Splunk is already monitoring these files but doesn't pick it back up. How do I get the same data I had reindexed into splunk when I've cleaned it? Is it possible?
Thanks for the help.
... View more