I have one event viewer log and I'm tryng to capture the data fields, since Splunk cannot recognize the timstamp by itself.
Here is one log sampe:
spsnip01,16,ShadowCopy,SPSNIP01,,2003,2003,3,{lserver;3092;;15},Application,lserver (3092) Shadow copy 15 freeze stopped.
spsnip01,16,ShadowCopy,SPSNIP01,,2001,2001,3,{lserver;3092;;15},Application,lserver (3092) Shadow copy 15 freeze started.
spsnip01,0,,SPSNIP01,,8018,8018,3,,Application,Begin Operation
spsnip01,0,,SPSNIP01,,0,0,3,{20100920_223511 - Arquivo procrelperf_ccccp02_nfe_ago10.xls processado OK},Application,20100920_223511 - Arquivo procrelperf_ccccp02_nfe_ago10.xls processado OK
spsnip01,0,,SPSNIP01,,0,0,3,{20100920_223511 - Processando arquivo procrelperf_ccccp02_nfe_ago10.xls},Application,20100920_223511 - Processando arquivo procrelperf_ccccp02_nfe_ago10.xls
spsnip01,0,,SPSNIP01,,6,-2147352570,2,{50;60},Application,Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes
How can I tell splunk how to correctly read the timestamp (bold) ?
Ok, got it done.
I updated my props.conf to
TIME_PREFIX = (?m)^,\d+,\w+,
TIME_FORMAT = %y%m%d%H%M%S
restarted splunk, but not happened. still get splunk with just one timestamp [the timestamp when i got my data added]
I tryed as well to set the sourcetype [csv] up as CHECK_FOR_HEADER=TRUE and hoped that splunk would do its part as described on the documentation
I restarted the instance, but still the same. Genti, I've changed to the other values , but without success.
... View more