Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does Splunk get date from file

tgow
Splunk Employee
Splunk Employee
‎05-12-2011 12:12 PM

I have a file that lists the date at the top and also in the name. Here is a snippet of the first 10 lines of the file.


Log file opened: 05/09/2011 08:15:28.889 CDT



Director 14644: 08:15:28.890 User [admin] tries to log in



Director 14644: 08:15:28.910 validate.asp: calling SM_CreateNewSession()



Director 14644: 08:15:28.911 validate.asp: logon_ip:::1user_id:adminbrowser_ip:::1



Director 14644: 08:15:28.912 ::1:admin:::1:changeme:0:::0



Director 14644: 08:15:28.917 sm.js: SM_CreateNewSession, json_data: {"request-id":1,"topic":"system","message":"session","actions":[{"action":"create","id":1,"user-id":"admin","browser-ip":"::1","client-nonce":1756958650,"sha1":"63180aca427f33649593b87ee48b58c2a53399d9"}]}



Director 14644: 08:15:28.920 sm.js: SM_CreateNewSession, caught error:



Director 14644: 08:15:28.921 sm.js: WinHttp returned error: 12005 The URL is invalid


The name of the file is the following: Director-110509.081528.log

I setup a props.conf file with the following to create single events for each line of the file because originally Splunk was not recognizing the new lines and only created one event for the whole file.


[director]



SHOULD_LINEMERGE = False


The events in Splunk have the date of 11/05/09 but it should be 5/09/2011.

How does Splunk determine the date of the events in the file and how can I change the date to be the correct one.

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bbingham
Builder
‎05-12-2011 02:42 PM

Splunk looks at the start of each line for the date information and matches to any known set date format, in your case, it looks to be matching and failing, so it looks to the file name, Director-110509.081528.log.

Here's the order splunk looks for a timestamp:

Splunk uses the following precedence to assign timestamps to events:

 1. Look for a time or date in the event itself using an explicit TIME_FORMAT if provided.

 Use positional timestamp extraction for events that have more than one timestamp value in the raw data.

  2. If no TIME_FORMAT is provided, or no match is found, attempt to automatically identify a time or date in the event itself.

  3. If an event doesn't have a time or date, use the timestamp from the most recent previous event of the same source.

  4. If no events in a source have a time or date, look in the source (or file) name.

  5. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

  6. If no other timestamp is found, set the timestamp to the current system time (the time at which the event is indexed by Splunk).

You may want to simply remove the date out of the filename and let splunk use the modification time on the file. Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

bbingham
Builder
‎05-12-2011 02:42 PM

Splunk looks at the start of each line for the date information and matches to any known set date format, in your case, it looks to be matching and failing, so it looks to the file name, Director-110509.081528.log.

Here's the order splunk looks for a timestamp:

Splunk uses the following precedence to assign timestamps to events:

 1. Look for a time or date in the event itself using an explicit TIME_FORMAT if provided.

 Use positional timestamp extraction for events that have more than one timestamp value in the raw data.

  2. If no TIME_FORMAT is provided, or no match is found, attempt to automatically identify a time or date in the event itself.

  3. If an event doesn't have a time or date, use the timestamp from the most recent previous event of the same source.

  4. If no events in a source have a time or date, look in the source (or file) name.

  5. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

  6. If no other timestamp is found, set the timestamp to the current system time (the time at which the event is indexed by Splunk).

You may want to simply remove the date out of the filename and let splunk use the modification time on the file. Hope this helps!

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...