About varunesh

varunesh · ‎05-10-2023

I have prepared based on your input please confirm. [avamar] [host::usxxxx*] TZ = US/Eastern TIME_PREFIX = \[ I dont understand the below line [source::<<Avamar file path>>] Avamar bkp failure data is being sent from Avamar server to syslog server as when the failures occur , which means in Avamar we configured to send the data to syslog server and splunk avamar data is being indexed from the syslog server, so what is the source I need to mention here?

varunesh · ‎05-10-2023

I found the stanza name "avamar " by providing the sourcetype in the table query. I verified the prop.conf but couldn't find any stanza named avamar. In the other defined sanza in prop.conf they have used the below for the TIME_PREFIX setting TIME_PREFIX = \[ As we need to update the TIME_PREFIX setting specific only to our Avamar host, can you please let me know the syntax for the TIME_PREFIX setting to set specific host or IP to the UTC time zone? Also please share any technote to understand the syntax and other options in TIME_PREFIX setting. Thanks in advance.

varunesh · ‎05-09-2023

I have received the content of props.conf and I searched for both the keywords TIME_PREFIX & TZ but I found some entries for TIME_PREFIX only. Please check the attached images and update back. Even I searched for Avamar keyword but dont find any entries in the conf file and also for logging using syslog I have attached those contents too from the conf file. Thanks

varunesh · ‎05-09-2023

Hi, I checked my access and dont have permission to view the prop.conf will reach out to my splunk admins. I have couple of questions 1. If I change the TIME_PREFIX setting in the prop.conf, it applies only to our Avamar configuration or it applies to the entire splunk configuration? 2. If the setting applies to the entire configuration is there a option to change it only for our Avamar reporting only?

varunesh · ‎05-05-2023

Also please check the below image.

varunesh · ‎05-05-2023

Thanks for the reply, can you please let me know how to access the props.conf file? Do I need to capture the configuration file from Avamar or it will be in splunk server? I have access to splunk cloud where we access our jobs. Please let me know the procedure to access the file.

varunesh · ‎05-05-2023

Hi All, Good Day. Need help in Splunk data receiving. We have Avamar backup node which is sending the data to splunk is in EST time zone. The splunk server is configured with the UTC time zone. The data is being received by splunk which shows the correct time but when the index server parsing the data, thinking it was 4 hours old data and ignoring it. So backup failures are not captured and ticket is not generating for backup failures. Upon verifiying in splunk side, some of the received data between _time & indextime difference of 4 hours and some of them receving correctly. When the difference time is 4 hours splunk is ignoring the data and not generating ticket for failures. Note: The search is running for every 15 minutes if we increase the search duration to see last 4 hours then we will receive lot of duplicates. We have contacted Dell support but they are updating me that backup application just send the data with the MIB file as it when receives the data. It would be the splunk to process the data correctly. Please help to solve the issue and any recommendation is appreciated.

Posts	7
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎05-05-2023

Online Status	Offline
Date Last Visited	‎05-10-2023 03:37 PM

Help with the Timezone conversion?

Re: Need help with the Timezone conversion

Re: Need help with the Timezone conversion

Re: Need help with the Timezone conversion

Re: Need help with the Timezone conversion

Re: Need help with the Timezone conversion

Re: Need help with the Timezone conversion

Help with the Timezone conversion?