topic Re: Default datetime fields in Getting Data In

Default datetime fields

Martin583 — Wed, 15 Dec 2021 13:45:02 GMT

I am using Splunk to Search historical data in a virtual index but I have noticed that the default date_year is being incorrectly added.

My data is from 2020 and when I search I specified a source pointing to a particular directory based on the date at which it was ingested.

Unfortunately the logs in question have a timestamp in the following format %b %e %H:%M:%S i.e no year..

When I run my search looking in the folder for 15/08/2020 some of the default dates are 2020 but some are 2021.

index=vix_web source="/data/xx/xxx/xxx/xxx/2020/08/15"

Having done some research on how the default times are extracted, it would seem datetime.xml is used but I still don't know where the year is extracted from.

Can anyone help

Re: Default datetime fields

ldongradi_SPL — Wed, 15 Dec 2021 14:28:34 GMT

You should get your answer here:

https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps#How_Splunk_software_assigns_timestamps

under the section : How Splunk software determines timestamps with no year

Re: Default datetime fields

Martin583 — Wed, 15 Dec 2021 15:12:20 GMT

Thank you for your reply.

What I don't understand is that for some months of the historical data for the same types of events it will have a default date_year which is correct i.e 2020 but some that come back as 2021.

Any ideas?

Re: Default datetime fields

Martin583 — Wed, 15 Dec 2021 15:42:33 GMT

Following the logic in the article I would think that the vast majority of the Historical logs should infact have 2021 applied to them.

Re: Default datetime fields

Martin583 — Wed, 15 Dec 2021 15:45:58 GMT

Is there a way in which I can force the year based on the source of the historical data, i.e the directory path for the data?