Getting Data In

Splunk not indexing data if time contains a colon

caatplan_mike
Engager

I've having an odd issue with Splunk. I'm attempting a scripted input that outputs current users logged into an oracle database and am formatting the login date value as yyyy-mm-dd hh24:mi:ss. This seems like a reasonable time format.

Splunk seems to have a problem with the : in the time. Looking in splunkd.log, everything looks fine. eg. "Ran script: /opt/splunkforwarder/etc/apps/scripts/bin/oracle_who, took 81.59 milliseconds to run, 1825 bytes read". But if I look for the data in splunk, it's nowhere to be found.

If I change the time separator to a space, Splunk indexes the data, but I'm not sure it recognizes the values as a time value.

Here's sample of the data that is ignored by Splunk.

build,bob,152,42901,bob,terminal02,toad.exe,2013-01-14 17:22:10
build,sue,154,21447,sue,terminal01,toad.exe,2013-01-14 17:22:15
build,jim,195,34447,jim,unknown,sql developer,2013-01-14 13:50:49

Here's a sample of data that is indexed by Splunk successfully.

build,bob,152,42901,bob,terminal02,toad.exe,2013-01-14 17 22 10
build,sue,154,21447,sue,terminal01,toad.exe,2013-01-14 17 22 15
build,jim,195,34447,jim,unknown,sql developer,2013-01-14 13 50 49

Using colon as a field separator works fine too.

build:bob:152:42901:bob:terminal02:toad.exe:2013-01-14 17 22 10
build:sue:154:21447:sue:terminal01:toad.exe:2013-01-14 17 22 15
build:jim:195:34447:jim:unknown:sql developer:2013-01-14 13 50 49

I'd prefer to keep the colons in the time value since it's pretty standard, but I'm not adverse to formatting the time in a different way if it's usually done some other way.

I'm running Splunk 5.0.1 on both the forwarder and the indexer.

--UPDATE--

It's now clear splunk was using the login time as the timestamp which isn't what I'm after. I'd like Splunk to use the current time as the timestamp. I read through the props.conf.spec and have made the following configuration files, but they don't seem to be having the desired effect. All config files are located in /opt/splunkforwarder/etc/apps/scripts/default.

inputs.conf

[script:///opt/splunkforwarder/etc/apps/scripts/bin/oracle_who]
interval = 300
sourcetype = oracle_who
source = script://./bin/oracle_who

props.conf

[oracle_who]
REPORT-oracle_who-fields = extract-oracle_who-fields
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false

transforms.conf

[extract-oracle_who-fields]
DELIMS = ","
FIELDS = instance, username, sid, serial, osuser, host, program, login_time

I used this document for developing my scripted input: http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Setupcustominputs#Example_using_inputs.conf

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

I guess a good place to start is to check out the TIME_FORMAT, TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD parameters that can be set for your source/sourcetype in props.conf.

http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Propsconf

hope this helps,

Kristian

caatplan_mike
Engager

Hi Kristian, this definitely helped. I can see now that splunk was indexing my data using the login_time as the timestamp value of the record which is not the behaviour I'm after. I've attampted to disable this without success (I'll update the OP with my config files).

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!