I have following logs from a customer device:
0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,sev1
0080101c4114,10.33.1.3,1481421595,host2.labtest.com,error-message2,sev2
props.conf
[csv]
FIELD_DELIMITER = ,
FIELD_NAMES = transactionId, hostIp, time, fqdn, MsgType, Severity
TIME_PREFIX = ^(?:[^,]*,){2}
MAX_TIMESTAMP_LOOKAHEAD = 10
TIME_FORMAT = %s
SHOULD_LINEMERGE = False
pulldown_type = 1
REPORT-getfields = testlog_fields
transforms.conf:
[testlog_fields]
DELIMS=","
FIELDS = "transactionId", "hostIp", "time", "fqdn", "MsgType", "Severity"
The log files I received have incorrect timestamp on it, meaning not the time when the logs were generated. After ingested the logs, I noticed Splunk is using the log ingest time for index time (as shown in _time). Is there anyway to force Splunk use the epoch time inside the logs as Index time so that I can search for "last 7 days", "last month" event?
Thanks
... View more