Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs parses fine during the day but groups multiple entries together from midnight - 1am

king2jd
Path Finder
‎03-27-2017 10:08 AM

alt text

Preview file
1 KB
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-27-2017 10:23 AM

Can you post your props.conf which is located on your indexer(s) under $SPLUNK_HOME/etc/system/local?

0 Karma
Reply

king2jd
Path Finder
‎03-27-2017 11:20 AM

We are using the settings from the /opt/splunk/etc/system/default/props.conf

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-27-2017 11:47 AM

Did you copy and paste the default settings to your local settings?

I would recommend you create a new props.conf under $SPLUNK_HOME/etc/system/local

[source::YOUR_SOURCE_PATH]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,$3N
MAX_TIMESTAMP_LOOAKAHEAD = 30
LINE_BREAKER = \[\d\/\d+\/\d+\s\d\:\d+\:\d+\:\d+\sEDT\]
SHOULD_LINEMERGE = false
TRUNCATE = false
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...