My data is from a command system that is being sent over UDP connection direct to the indexer. It sends data to Splunk every hour.
Data format is Month Date Time sent from command system, system name, 1, Logon Time
Examples
Dec 10 00:51:46 system.network.net 1 2019-12-10T00:51:19.188-06:00
Dec 9 10:58:25 system.netework.net 1 2019-12-09T10:58:23.793-06:00
Dec 9 22:38:38 system.network.net 1 2019-12-06T08:05:23.745-06:00
I want to use Logon Time as the event time not the time it was received.
This used to work until I upgraded to 7.3.3 from 7.3.0 to fix the Y2K20 issue.
props file contains
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3Q%:z
TIME_PREFIX = \w+\s{1,}\d{1,}\s\d{2}:\d{2}:\d{2}\s\S+\s\d\s
category = Custom
disabled = false
MAX_TIMESTAMP_LOOKAHEAD = 256
TIMESTAMP_FIELDS =
Any suggestions on what happened?
Scott
↧