I'm having trouble with a log and getting Splunk to recognize the time format.
Here is an example a log entry:
010406:00:530000000000000040RD000001071215
Now, all the entries start with `0104` followed by the time in `H:M:S` format.
I've added a props.conf to the indexer like this:
[sisfeedlog]
TIME_PREFIX = ^0104
TIME_FORMAT = %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 8
and a props.conf on the server:
[source::...\\SISFeed\\S(\d+\.LOG)]
sourcetype = sisfeedlog
It doesn't seem to be working though as the time isn't being extracted and the sourcetype is coming up as unknown.
Any advise on why it's not working?
Thanks,
Mark
↧
