Data is in a file. In inputs.conf I have:
[monitor:///opt/splunk/data/test/HOSTS/.../*.logfile]
index=test
sourcetype = syslog
When I didn't have the props.conf my data was coming in as the date of file, so created a props.conf file, fat-fingered above. It is:
[source:///opt/splunk/data/HOSTS/.../*.logfile]
sourcetype = syslog
TIME_FORMAT = %d %m %H:%M:%S
The directory structure is - .../HOSTS/ /year/month/day.logfile. The 2 files configured as noted, only getting data for 2013 and not 2012. Search set to all time. Any suggestions on changes to this would be appreciated.
... View more