Databases Reference
In-Depth Information
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
3.
Next, we merge our current app default
$SPLUNK_HOME/etc/apps/d/
default/props.conf
:
BREAK_ONLY_BEFORE_DATE = false
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = CST
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
4.
Now we merge our current app local
$SPLUNK_HOME/etc/apps/d/local/
props.conf
:
BREAK_ONLY_BEFORE_DATE = false
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = UTC
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
[security_log]
EXTRACT-<name> = \[(?P<user>.*?)\]
5.
And finally, we apply our default stanza to stanzas that don't already have
the attribute:
BREAK_ONLY_BEFORE_DATE = false
Search WWH ::
Custom Search