Time stamp of historical syslog data gets incorrectly set to the current year

Question

I have some syslog-like data from 2008 that I'd like to index with Splunk :
Mar 7 13:33:21 beefysup01 avahi-daemon[3264]: Invalid query packet. Mar 7 13:33:23 beefysup01 last message repeated 11 times Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0' Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Invalid query packet. Mar 7 13:33:54 beefysup01 last message repeated 153 times Mar 7 13:34:20 beefysup01 last message repeated 95 times Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid legacy unicast query packet. Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid query packet. Mar 7 13:34:25 beefysup01 last message repeated 36 times Mar 7 13:34:27 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'

Unfortunately, as these events have no year, Splunk assigns the current year (2012) to them!

Is there any way that I can tell Splunk to index this file using the actual year of origin (2008) as part of the time stamp?

Accepted Answer

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

Time stamp of historical syslog data gets incorrectly set to the current year

Follow this question

Splunk Resources

Related questions