Here's my local props.conf.
[tmweb@app1.splunkdev.jetdev2.syseng.tmcs ~]$ cat /opt/splunk-efr/splunk/etc/system/local/props.conf
[default]
TRUNCATE=100
TIME_PREFIX = datetime=
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3NZ
SHOULD_LINEMERGE = False
TZ=Canada/Eastern
I don't understand why those settings are not considered. No matter what I'm doing, Splunk does not consider my setting.
Please, I'm really upset about this. I'm using a new version of splunk, and it was working very nicely before. Now, sometime it's works, sometimes not.
Here's a result in Splunk. As you see, date time is not considered, nor truncation.
08/12/2015 10:23:15.000
severity="INFO" host="app1.jdas.jetdev2.syseng.tmcs" service_version="1.4.47" client_host="app2.jdat.jetdev2.syseng.tmcs" client_version="1.5.97" Correlation-ID="a3b3fde3-e657-42bc-804e-4677ce4de1a7" client_rid="73891577-0da4-4f7f-ac07-b1497ab68246" rid="249cce85-4b42-43e7-8ea6-7e7b951993fc" sid="8d2c2fc8-9981-4b90-a6e1-b5190c1874d7_143" thread="http-8080-2" category="com.ticketmaster.platform.bam.strategies.PayloadBAMStrategy" datetime="2015-12-08T15:23:12.805Z" bam="payload" appCode="outbound.response.rest" activity="FindAttractions" seq="108697" payload="{'@type':'{http://www.ticketmaster.com/jdas/authoring/attraction/service/operations/1.0}FindAttractionResults','record':[{'@type':'{http://www.ticketmaster.com/jdas/authoring/attraction/service/operations/1.0}FindAttractionRecord','attractionVersion':{'@type':'{http://www.ticketmaster.com/jdas/authoring/attraction/model/1.0}AttractionVersion','attractionVersionId':'dataAdmin-attrVer-00000000027b9fe9','attractionId':'dataAdmin-attraction-000000000083d829'}}],'totalRecords':326,'nbRecords':1}" headers="{Response-Code=[200], TMPS-Request-Id=[249cce85-4b42-43e7-8ea6-7e7b951993fc], TMPS-Correlation-Id=[a3b3fde3-e657-42bc-804e-4677ce4de1a7], TMPS-Service-Version=[1.4.47], TMPS-Hostname=[app1.jdas.jetdev2.syseng.tmcs], Cache-Control=[no-cache], Date=[Tue, 08 Dec 2015 15:23:12 GMT]}"
↧