|
I have a log event with a timestamp that includes milliseconds: 2010-07-30 11:16:43,357 If the log is loaded into Splunk on the indexer the subseconds get recognized. If the log is forwarded via LightForwarder, subseconds are not recognized: 7/30/10 11:16:43,000 AM How can I correct this? Thanks in advance. |
|
Is this the case for all data or just from this source? I've tested a 4.1.x instance with the logs in index=_internal and subseconds are correctly parsed and rendered. Are there custom timestamping rules on the forwarder? |
|
Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior. |
|
We are sure there are no other rules on the LightForwarder. We also deleted all files under .../apps/learned and .../etc/users. Subseconds still are not recognized from ALL sources. Any more ideas how to debug / loglevel to make timestamp recognition visible ? Thanks for helping, Meno |
