Hi everyone,
I'm importing data from Windows event logs to a Splunk machine in Unix (version 7.0.3).
I have a weird warning when I try to do my timestamp configuration.
My logs timestamp looks like this:
2019-03-10 12:04:44:foo: bar ...
So I follow the official doc and I put:
TIME_FORMAT = %y-%m-%d %H:%M:%S:
but I get some warnings and the event breaking is wrong.
> Warning: Could not use strptime to> parse timestamp from"2019-03-10> 12:04:44:foo..."
Then when I try:
TIME_FORMAT= %y%-%m%-%d %H%:%M%:%S%:
which is surprisingly not a format anywhere in the docs, everything looks fine.
Can anyone help me understand what's going on?
I'm not sure if I'm following the best practices...
I join some screenshots.
Thank you in advance.
With warning: ![alt text][1]
Without warning: ![alt text][2]
[1]: /storage/temp/274823-warning.png
[2]: /storage/temp/274824-no-warning.png
↧