Solved: Edit of Time_format in props.conf on Cluster Maste...

yAlff · ‎08-14-2013

Hello Community,

My Setup is 1 SearchHead, 1 Cluster Master, 2 Indexers and a bunch of Forwarders.
A logfile looks something like that:

<134>Aug 14 07:46:04 pm-1234

With pm-1234 as the host name. So Splunk does interpret the pm in the host name as past morning. In the example the interpreted time would be 19:46:04, but it it correctly 07:46:04 AM.

Yesterday, I added to the sourcetype in props.conf on Cluster Master following line:

TIME_FORMAT=%b %d %H:%M:%S

Followed by command

splunk apply cluster-bundle

But as I looked this morning, the new logfile entries are still interpreted false.

What did I forget?

Note: If I ingest the data and define another sourcetype for the data, where I set the TIME_FORMAT right, the timestamp is interpreted correctly; but this is not an option for me; it was only for testing. But if I edit this sourcetype in props.conf, I don't see that the change was successful.

yAlff · ‎08-20-2013

Ok, I had to use

TIME_PREFIX=<134>

now it works! Fine 🙂

View solution in original post

yAlff · ‎08-20-2013

Ok, I had to use

TIME_PREFIX=<134>

now it works! Fine 🙂

Edit of Time_format in props.conf on Cluster Master does not strike through

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!