I think I found a bug in the Preview app. I paste in the following data into the application:
3/1/16 16:08:51:477 PST This is a testddd
3/1/16 16:09:51:477 PST This is a test
3/1/16 16:10:51:477 PST This is a test
The app suggested the following:
Top of Form
TIME_FORMAT: %Y-%m-%d %H:%M:%S.%3N%Z
MAX_TIMESTAMP_LOOKAHEAD: 25
SHOULD_LINEMERGE: false
TRUNCATE: 150000
NO_BINARY_CHECK: true
TIME_PREFIX: ^
Bottom of Form
Events:
For some reason or another, the app seems to pass the check and match a sourcetype. The bad part is the suggested TIME_FORMAT isn’t matching the input data. Any thoughts? The time format in the message is `mm/dd/yy`, and the app shows `YYYY-MM-DD`.
[exchange:message:tracking]
count = 26
MAX_TIMESTAMP_LOOKAHEAD = 25
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%Z
TIME_PREFIX = ^
TRUNCATE = 150000
I wondered if anyone has found a work around. I don't see this issue with Splunk 6.3.1 in search/preview (onboarding from a static file). I like the option to cut and paste on-boarded data vs. having to import a file. This is why I use the Preview app.
↧