We have our application logs which are being monitored using a universal forwarder and below is the sample message , where same log messages will have multiple dates for better tracing.
The Issue is, sporadically, time stamps in the actual JSON "dateCreated" and "shipDate" are considered as start of the Splunk events instead of the actual time of the event occurred . i.e below sample message in the Splunk search is shown with "_time" filed as "2018-12-03T12:00:00" instead of "2018-12-03T15:06:42".
2018-12-03T15:06:42,298 [[my-application].endpointsFlow.stage1.4150] INFO com.xxx.yyy.zzz - Processing Mesage
Message:{
"dateCreated": "2018-12-03T12:00:00Z",
"shipDate": "2018-12-03T12:00:00Z",
"XXX" :"YYYY"
}
We tried to explicit set the below configuration in prop.conf , however this doesnt have any effect on the behavior.
[test:app]
REPORT-app = test-app, test-app2
BREAK_ONLY_BEFORE=^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}
MAX_TIMESTAMP_LOOKAHEAD = 25
Any pointer would be really helpful , thanks in advance.
... View more