I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.
I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z
This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):
[syslog]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false
This is how Splunk is outputing my log messages:
2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info] This is just a dummy log message
As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.
Hi efcasado,
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone
%Y-%m-%dT%H:%M:%S.%6N%z
Bye.
Giuseppe
can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system