Hello
I have some rsyslog data coming from an rsyslog server configured with RSYSLOG_ForwardFormat to tcp port 5140 on one of the indexer cluster hosts. The data looks like this in Splunk:
<14>2016-08-21T20:36:01.770243-07:00 host01 php-fpm[] pool ......
I've attempted to parse it using a property and pushing it from the indexer master (in etc/master-apps/_cluster/local/props.conf) to the slaves:
[host::host0*]
TIME_PREFIX=<\d+>
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N%:z
However, the indexer does not seem to pick up on this and it thinks that the events are coming in 7 hours behind, which means no data in the 30 second window.
Can someone validate that this the correct time parser string? Is Splunk capable of parsing out the time values at index time?
Thanks
↧