|
Hi, Sorry if this has been asked before but I could do with a quick straightforward answer for this one. We have a text based logfile which has each line starting with dd/MM/yy - HH:mm:ss (05/08/11 - 09:51:32) The problem is that splunk is reading the date as MM/dd/yy, so our logs are all over the place, over the last 3 days we now have logs for 8th march, 8th april, and 8th may.... The logs are collected by a Universal forwarder on a windows server. Which config file do I need to edit and what do I need to edit it with to get this to start parsing the date correctly? Many Thanks, Fraser |
|
The file to edit or add is Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to These changes will take effect on new events that are indexed after restarting Splunk. Thanks for the quick response. I have just tried that however the latest logs are still coming in with the incorrect date. I restarted both splunk server and the universal forwarder. Should the .conf file be put on the splunk server or the server with the universal forwarder? or both? I have put this in the props file. [source::V:\\MGR1.1\\system\\SYSTEM.LOG] TIME_FORMAT = %d/%m/%y - %H:%M:%S
(05 Aug '11, 03:02)
fraserhardy
in your case , props.conf should be put on indexer not on UF (http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F )
(05 Aug '11, 03:42)
dmlee
Just to update.. I got it working by replacing the drive letter in the source. [source::...MGR1.1\\system\\SYSTEM.LOG]
(05 Aug '11, 04:39)
fraserhardy
|
