Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs with no timestamp incorrectly getting date from file name

gpullis
Communicator
‎07-25-2011 01:10 PM

I have a sourcetype where Splunk is correctly getting the time stamp from the events, but the events don't contain a date.

Unfortunately the logs are named like:

rkj050508_d0373452.broomecounty.us.tracesql

Where 050508 is part of a username, and not a date. But, sure enough, Splunk thinks the events are from 2008-05-05.

Is there a way to get the date from index-time, but get the time from the timestamp?

Tags (2)
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-25-2011 03:26 PM

I would suggest using DATETIME_CONFIG = current in props.conf for the sourcetype the data is assigned. I think it has a decent chance at telling splunk to use the system current timestamp for the event. You can also try to specify a TIME_FORMAT, TIME_PREFIX, and MAX_TIMESTAMP_LOOKAHEAD in props.conf to tell splunk what the time format is, where to look for the timestamp, and how many characters the timestamp contains. If there isn't a date in the file, just don't specify one. The default behavior is that when the log doesn't contain a date, to revert to the mod time of the file for the date. Hopefully this will get you close to what you'd like to see.

http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition

0 Karma
Reply

gpullis
Communicator
‎08-06-2011 05:53 PM

Actually, the default behavior appears to be to look for a date in the filename if it can't find a date in the event.

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-26-2011 11:49 AM

I edited my answer to reflect what I would suggest given this information.

0 Karma
Reply

gpullis
Communicator
‎07-26-2011 06:54 AM

Thanks, but what I'd like to do is use the timestamp from the log entry plus the modification date of the file to form the timestamp for the event. Is there a way to do that?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...