topic Re: Date without year, wrong index. in Getting Data In

Date without year, wrong index.

psychosb — Tue, 10 Jan 2012 16:35:47 GMT

Hello...

I'm having some trouble in indexing some log files, because of the format they are.

Example:

11/12 22:54:31.87:8becc368:02:00:sradisk : verify requests 7629376 (645/sec)

As you can see, there's no year on the date. The format is Month/Date only.

My problem is, Splunk is indexing this like:

12/22/11
10:54:31.800 PM

So, It's getting the hour of the event and using it as the day. Getting the month and using it as a year, and the day becomes the month!

I'm wondering if there's a way to solve this, since some of my logs normally does not have the year field.

Thanks a lot,

Thiago

Re: Date without year, wrong index.

imrago — Tue, 10 Jan 2012 18:59:21 GMT

Hi,

I had a similar problem and the following worked for my case:

TZ = Europe/Dublin
TIME_FORMAT = %m/%d %H:%M:%S
EXTRACT-fields = (?im)^((?P<TIMESTAMP>\d{2}/\d{2}\s\d{2}:\d{2}:\d{2})\s

in the props.conf file
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Re: Date without year, wrong index.

psychosb — Tue, 10 Jan 2012 19:07:10 GMT

Hi there!

Sorry, but I'm new to Splunk. Where should I put those lines?

I'm trying to find the file that I can define the personal filters, but can't found it.

Thanks.

Re: Date without year, wrong index.

piebob — Tue, 10 Jan 2012 19:34:39 GMT

the only .conf files that exist by default upon installation of Splunk are the ones in /etc/system/default.

you must create your own copy of the relevant .conf file in /etc/system/local to define personal settings. in this particular case, you should first read:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles for information on how to use configuration files

and then read:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition for specifics on timestamping issues

Re: Date without year, wrong index.

markthompson — Mon, 28 Sep 2020 17:44:45 GMT

Not too sure if this applies here, but you could use this;
rename "date_mday" as "Day" "_time" as "Time" | convert timeformat=%H.%M ctime(Time) |table Day, Time

What this does is puts it in a table, but it will still show if you click visualization. Obviously this would require some editing but you could use something similar.