Hello,
I'm using Splunk 6.2.3 and have some problems and questions.
First of all, I'd like to describe the problem I actually have:
I filled Splunk with a larger catalina logfile and saw that Splunk reads a different timestamp than the log actually has.
Here is the line where Splunk may begins to read:
1.3.6.1.4.1.20742.3.5.1.2.1.x.x = XX
[15:35:10,560 - Thread-77 (HornetQ-client-factory-threads-887115841-1086694719)] [CONN] DEBUG - TrapProcessor:110 - [...]
When I use the list view, Splunk shows me the time: 03.03.15, 15:34:22,745
However, the date is correct, only the time isn't.
Further questions are:
Where may I change it, that Splunk asks me to show all "257" lines. Which configs and stanzas do I have to change to get a different value here?
When I'm searching for any search term, Splunk doesn't show me the result in the first line of the result. Sometimes it's in the third line, sometimes in the first. How does splunk decide which line is the first?
When I'm using Splunk forwarders, do I always have to configure the input in the inputs.conf on the server side?
So, these are a few questions, but I hope you can help me.
... View more