Hi,
I have complex events in files forwarded from Windows hosts with Universal Forwarders.
These files are zip-compressed, and have "_TRA_" in filename.
They look similar to this:
20150422|20150721|grtghtyrt|teghtrhher(... some text)
20150427|20150630|grtghtyrt|teghtrhher(... some text)
Date of each event is THE SECOND column (first is for something else).
So for those 2 events, I expect **_time** to be `2015-07-21 00:00:00` and `2015-06-30 00:00:00`
I made a simple app with props.conf: http://pastebin.com/LGCUNpPp
When I add input directly to Splunk, _time is correct.
When I forward data with Splunk Universal Forwarder, _time is set to modification date of those files, which is wrong.
Sourcetype is set correctly.
Why does Splunk Forwarder ignore my settings? How to debug this and what to do?
↧