I've been through the forums and this has been asked many times, but I'm not getting anywhere with it. I'm admitting defeat and asking for help
We have a log from a host. The host is in this format:
01/11/11 00:18:05 [ 1] - I) Connected
01/11/11 00:18:05 [ 1] - I) Sending NUA
01/11/11 00:18:05 [ 1] - I) Sarian B: CALL NBMS_HOST01
01/11/11 00:18:06 [ 1] - I) Send data
01/11/11 00:18:06 [ 1] - I) Packet = 1. Dial_count1 = 1
The date above is 1st November, not 11th January. The file is saved at:
c:\trace.log
There is a months worth of data in each file, starting with the 1st of the month. I haven't managed to tell Splunk that the date is in d/m/Y format instead of m/d/Y format. The props.conf file on both the windows and linux boxes contain:
[source::"c:\\trace.log"]
TIME_FORMAT = %d/%m/%Y
[source="c:\trace.log"]
TIME_FORMAT = %d/%m/%Y
[source="c:\\trace.log"]
TIME_FORMAT = %d/%m/%Y
datetime.xml on both the server and windows forwarder has:
<define name="_masheddate3" extract="day, month, year">
<text><![CDATA[(?:^|source::).*?(?<!\d|\d\.)([012]\d|3[01])(0\d|1[012])(?:20)?([901]\d)(?!\d| {2,})]]></text>
</define>
added and in datePatterns _masheddate3 is added.
(props.conf contains 3 items as I'm trying to get any combination to pickup) I think that is all I need to do, except the results on the web page show:
11/01/2011 00:44:09.000 01/11/11 00:44:09 [ 1] - I) Sarian B: CALL NBMS_HOST01
host=RSCA6976A Options| sourcetype=trace-too_small Options| source=C:\trace.log Options
You can see its still picking up US instead of UK date format. First datetime is Splunk Generated - second datetime is data from the log
I'm clearly doing something wrong and would appreciate any ideas as I don't think I'm doing anything too complicated.
Thank you
... View more