I have multiple log files with different sources which log time stamp in different formats as below. In one the cases (CASE 2) I am lossing millisecond precision in splunk. Can some one tell which configuration needs to be changed here and if thet configuration needs to be changed at source type level or some universal setting will handle all issues?
Case 1 (Millisecond timestamp is preserved)
[2018-04-04 00:26:10,649][ERROR][shield.action ] *********
Splunk Time Stamp = 4/4/18 12:26:10.649 AM
Case 2 (Millisecond timestamp lost)
RAW LOG : 2018-04-04 00:29:02,183 INFO response - 2018-04-04 00:29:02,183 *******
Splunk Timestamp :4/4/18 12:29:02.000 AM
Case 3 (Millisecond timestamp is preserved)
RAW log:2018-04-04 00:31:09.118 c.e.f.f.c.p.B**************
SPlunk Time stamp : 4/4/18 12:31:09.118 AM
... View more
I have application with inputs.conf as
host = $decideOnStartup
In serverclass.conf i have entry like
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled
Now when i reload deployment server, I can see my deployment app pushing successfully on boxes. But $decideOnStartup is not working as expected untill i manually restart splunk on the forwarder node.
even though splunkd gets restarted after app gets pushed to forwarder. I have to manually restart splunk on forwarder box again.
Am i missing any configuration?
... View more