I have some difficulties with date/timestamping with a certain logfile.
The logfile itself only contains HH.MM.SS.
Example:
06:42:01.211 report /media/Logfiles/LOG_121202_20161231_064206.xml has been created
06:42:01.212 Nextreport is scheduled to 2016.12.31 07:42:01.000
06:42:07.223 LOG and requested data files: 1 item(s) to upload (newest first)
06:42:07.311 Uploaded LOG_121202_20161231_064206.xml (3659 bytes) --> 1.2.3.4
To prevent Splunk to use any numbers and datestamps found in the logmessage text I modified the PROPS.CONF like
TIME_FORMAT=%H:%M:%S.%3N
Time is now OK, but the date is the problem. It is available in the hostname however Splunk does not retrieve and uses the date-modified instead. As these are daily logfiles are just written after midnight this file-modified date is always 1 day ahead.
The filename is in this format:
LOG_121202_20161231_000000.txt
Where the first number sequence is the device serial number, the second number sequence is the proper date. Third sequence is always zero. In this case Y=2016, M=12, Day=31. However the file modification date is 2017-01-01 00:00:01. Splunk retrieved this date.
Is there any way to force the filedate as date stamp in precedence over modification date?
I'm trying to figure it out by modifing the datetime.xml but it seems to ingore any setting I make.
props.conf:
DATETIME_CONFIG = /Applications/Splunk/etc/datetime.xml
datetime.xml
↧