I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.
I am using the syslog data source, which I configured to parse timestamps with the following format string: %Y-%m-%dT%H:%M:%S.%6N%:z
This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):
MAX_TIMESTAMP_LOOKAHEAD = 32
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
disabled = false
This is how Splunk is outputing my log messages:
2017-05-09T19:56:50.233319+00:00 myhost myapp1: 19:56:50.233 [info] This is just a dummy log message
As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.