I want to monitor a log file, a file in which there is a lot of time constraints, Date and time is defined within the log file.
Configuration in props.conf for default is set as DATETIME_CONFIG= \etc\datetime.xml
Since i have to monitor log file, just from 1 source, i am restricted to create any custom app or make any change in the default.
With Current set-up what i am getting is, splunk is reading the time from the content of log file, While the requirement is to get the time at which the file is created or last modified. i.e to ignore the time what splunk is reading from the events (log file).
I'm not sure, DATETIME_CONFIG = none will work if i define this in inputs.conf for that particular Universal Forwarder.
I am also not sure, this can be defined in Inputs.conf or not?
↧