We have data coming into Splunk that looks like:
DATA_FEED[00ZA044]:08/07 06:59:59 Got 'ABCDL NO PENDING TRANSACTIONS FOUND FOR REQUEST ' in file - LaLaStuff
DATA_FEED[00ZA044]:08/07 06:59:59 Queued time was 1.02, starting up a slave.
DATA_FEED[64946350]:08/07 06:59:59 Connecting to DB.
DATA_FEED[00ZA031]:08/07 06:59:59 received 'get_pending_orders:0038:12345678901'
The date/time is being parsed incorrectly. Splunk is reading the date for the above as 07/06/2008 which is really screwing things up.
We then modified the props and added: TIME_FORMAT = %m/%d %H:%M:%S
Bounced all the searchheads and indexers with the new props. Still coming in wrong.