Hi,
In order to understand which props.conf to be configured, it is important to understand the data pipeline, please refer to this link for more information:
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Configurationparametersandthedatapipeline
And to answer your question, if your Splunk architecture only has a Splunk UF installed on your syslog-ng and forward logs directly to Splunk indexer, you will need to configure your timestamp configuration in the indexer's props.conf. In certain situations, if you apply the INDEXED_EXTRACTIONS in your Universal Forwarder's props.conf, you will need to configure timestamp extractions on the same props.conf on UF as well.
If your UF is forwarding data to a Heavy Forwarder before forwarding to the indexer, you will need to configure timestamp configurations on the HF's props.conf.
Lastly, please review your timestamp configurations for the firewall sourcetype. These are the configurations used for timestamp extractions:
- TIME_PREFIX
- TIME_FORMAT
- MAX_TIMESTAMP_LOOKAHEAD
- TZ
- DATETIME_CONFIG
Hope it clears your doubts!
Regards,
Benjamin
... View more