Hello Splunkers,
We have an event coming in from our logs below with this stamp right at the beginning of our logs.
That is good...
Event TIme Stamp
11/30/15:11:16 AM
Unfortunately Splunk gets confused on the Year and believes it is the start of the time
stamp. See below 15 = 3:00 PM. I think I just need to somehow get rid of the colon in the
above data after the year and get a space in there before it is read and I think I will be good.
Would I need a props with a SED statement to strip it out on indexing? Any ideas to support
my theory would be greatly helpful.
Splunk Output
11/30/15 3:11:16.000 PM
Thanks,
Daniel MacGillivray
↧
