I've an event with multiple datestrings, it looks like this:
2016-06-01 15:31:31 INFO - Transfer[sourceName=xxx,sourceFile=xxx,sourceSize=xxx,sourceCheckSum=xxx,targetName=xxx,targetFile=xxx,targetSize=xxx,targetCheckSum=xxx,status=xxx,errorText=xxx,startTime=Wed Jun 01 15:29:26 CEST 2016,endTime=Wed Jun 01 15:29:27 CEST 2016,checkSumMethod=xxx,originalEntryDate=xxx]
Splunk uses the datestring in "startTime" for the _time field. I want to use the datestring in the beginning.
I the props.conf I've added "TIME_FORMAT" to the stanza, but splunk nothing changes..
TIME_FORMAT = %y-%m-%d %H:%M:%S
Any hints?
↧