We have some events coming in to Splunk that show as following:
time="09/10/2024 11:41:15"
URL="[Redacted String]"
Name="[Redacted String]"
Issuer="[Redacted String]"
Issued="27/10/2023 13:27:22"
Expires="26/10/2025 12:27:22"
Splunk is using ingest time instead of the time field. In props.conf for this sourcetype I have the following:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = time=
TIME_FORMAT = "%d/%m/%Y %H:%M:%S"
CHARSET = UTF-8
KV_MODE = none
DISABLED = false
However the time isn't being extracted properly, what do I need to change / add?
Thanks.
... View more