The Logs I am tring to onboard in Splunk have the following time format, "YY.MM.DD HH:MM:SS" so I made a props.conf accordingly: [sourcetype name] DATETIME_CONFIG = TIME_FORMAT = %y.%m.%d %H:%M:%S TIME_PREFIX = ^ BREAK_ONLY_BEFORE_DATE = true MAX_TIMESTAMP_LOOKAHEAD = 20 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false this config was the one created by splunk when I parsed the Logs as an Upload, there were the dates properl readen. When I deploy this in production the sourctype name exists but does nothing to parse it. Also, the year, month and day are read 2 times meaning that the hour in the logs is the date. For example, today all the logs are writen in the 23:07:03 hour. I also tried to chande datime_config to current but is also not working. Nothnig that I change in props file is taken into acount in prod. For gaining further commpreension of this case the Logs are Created in the DMZ and sent to the index throug a Deployer in the DMZ. Where could be the problem? Why is it props.conf working on the logs when uploaded and not when sent through a UFW?
... View more