Hi,
I have a folder with 21 logs, all different types, but with the exact same format. The event types are different per log file (info / warning / error / etc)
[01/Feb/2016 23:55:58] Failed IMAP login from 192.168.0.25, user jojo
[01/Feb/2016 09:41:34] SMTP server connection from 127.0.0.1 closed after 3 bad commands
Splunk nicely creates 21 different sourcetypes which is great for filtering. Unfortunately, Splunk is not able to identify the DATE correctly. It will assign old log entries from 2010 to some date in 2016. The time is right though. I've played around a lot with the manual sourcetype settings until I found out that I have to erase the data in Splunk first. Then finally the settings from props.conf are applied when importing the logs again.
When I tested this, I created just one sourcetype that was applied to all 21 logs, but this is not nice for filtering. I could manually add 21 logs with 21 different props, but I am wondering is there isn't an easier way to do this.
Can I not "help" the auto sourcetrype detection with the correct date format?
I do find it strange that Splunk is not able to detect such a fairly easy TIME_STAMP at the beginning of each line: `[01/Feb/2016 23:55:58]` I guess it is because of the `[` and `]` that screws up the REGEX engine.
Thanks,
Robbert
↧