×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
sphariss
New Member
Member since: ‎03-20-2013
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-20-2013
View All

Re: using access-combined I am not able to get the...

by in Getting Data In
‎03-21-2013 01:11 AM
‎03-21-2013 01:11 AM
All right, there seems to be something wrong with how Splunk parses the timestamp. I think you need to explicitly configure how this is parsed - through the following config parameters in props.conf ; TIME_PREFIX TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf For TIME_FORMAT it will be good to know how to specify the strptime variables, see http://www.strftime.net I believe that your props.conf should look something like; [your sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 50 TIME_PREFIX = \[ TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z the rest of your props parameters here These settings should go into a props.conf file on the indexer (or the heavy forwarder if you use that). Hope this helps, Kristian ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM