Hi,
I have a complex events in files, forwarded from Windows hosts with Universal Forwarder.
These files are zip-compressed, and have "_TRA_" in filename.
They look similar to this:
20150422|20150721|grtghtyrt|teghtrhher(... some text)
20150427|20150630|grtghtyrt|teghtrhher(... some text)
Date of each event is THE SECOND column (first is for something else)
So for those 2 events, I expect _time to be 2015-07-21 00:00:00 and 2015-06-30 00:00:00
I made a simple app with props.conf: http://pastebin.com/LGCUNpPp
When I add input directly to Splunk - _time is correct.
When I forward data with Splunk Universal Forwarder - _time is set to modification date of those files, which is wrong.
sourcetype is set correctly.
Why does Splunk Forwarder ignore my settings? How to debug this and what to do?
↧