topic Re: How to change timestamp value on old data in an index in Splunk Search

How to change timestamp value on old data in an index?

vishalduttauk — Tue, 08 Nov 2022 15:44:49 GMT

Hi there,

I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?

Re: How to change timestamp value on old data in an index

gcusello — Mon, 07 Nov 2022 10:21:54 GMT

Hi @vishalduttauk,

indexed events cannot be modified, the only way is do delete them and reindiex with the correct timestamp.

Rememeber that devent deletion is only logical, not physical.

Ciao.

Giuseppe

Re: How to change timestamp value on old data in an index

vishalduttauk — Mon, 07 Nov 2022 11:54:46 GMT

Thanks @gcusello

I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded.

The method is to use the add data functionality and to upload the txt file to the specified index.

Re: How to change timestamp value on old data in an index

gcusello — Mon, 07 Nov 2022 12:43:50 GMT

Hi @vishalduttauk,

only one information: do you want to use a timestamp contained in the events or to add a fixed one?

if the timestamp is contained in the event, you have only to configure your timestamp recognition to read the correct timestamp from the events.

Ciao.

Giuseppe

Re: How to change timestamp value on old data in an index

vishalduttauk — Mon, 07 Nov 2022 13:12:29 GMT

Hi @gcusello

I would like to add the same fixed one for every event within the file which will be uploaded.

Re: How to change timestamp value on old data in an index

gcusello — Mon, 07 Nov 2022 13:27:48 GMT

Hi @vishalduttauk,

this isn't a usual approach, anyway, you could insert the date you want in the filename, then you could add to your $SPLUNK_HOME/etc/datetime.xml the following raw:

<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>

remembering to rename your file as: mylogs_11-1-2012.log

Ciao.

Giuseppe

Re: How to change timestamp value on old data in an index

vishalduttauk — Wed, 09 Nov 2022 10:54:37 GMT

Hi @gcusello

I am implementing that to the existing datetime.xml file. Is this what i should add?

</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text>
</define>

Re: How to change timestamp value on old data in an index

gcusello — Wed, 09 Nov 2022 11:50:03 GMT

Hi @vishalduttauk,

"mylogs_01-10-2022.log" is a fixed string and you should use the field containing the field name, I suppose that your file name will change, so you have to use "source" instead "mylogs_01-10-2022.log".

It's important that you use this format ("string_dd-mm-yyyy.log") in the filename, otherwise, you have to change the regex.

in the first row you said "month, day, year", instead you have "day, month, year", you have to correct it based on the format you want to use in the file name.

Ciao.

Giuseppe