I want to make sure i understand this, i have logs that splunk can not find the time stamp on. and some are missing.
for the logs that have the time in them i would juse use this in props.conf on the Heavy forwaders correct?
[source_type]
TIME_PREFIX = \d\d\/\w\w\w\/\d\d\d\d\:\d\d\:\d\d\:\d\d
TIME_FORMAT = %d/%b/%Y%::z
log looks like this:
--ab50cd40-A--
[25/Sep/2016:04:08:52 --0400]
BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
For the logs that do not have a time stamp, how to i set them to use indexed time for the time stamp?
--ab50cd30-A--
BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
--ac50ad30-H--
BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
--090e4955-A--
BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
BLAH BLAHBLAH BLAHBLAH BLAH
↧
