topic Re: Changing the Year in _time in Splunk Search

Is there a way to change the year in _time?

Macphisto — Fri, 14 Apr 2023 16:29:31 GMT

I have a 2015 log that I need to analyze

I have a 2015 Aruba log I need to analyze. The log does not have the year, so Splunk inputs the current year (2023). Is there a way to adjust the year? Here is a sample of my log (IP, MAC, and Name of Devices are XXX out).

Mar 14 12:37:13 stm[XXXXXX]: |AP XXXXXX stm| Auth request: XXXX AP XXX auth_alg 0

Mar 14 12:37:13 stm[XXXXXX]: |AP XXXXXX stm| Auth success: XXXXXX: AP XXXXXX

Mar 14 12:37:33 stm[XXXXXX]: |AP XXXXXX stm| Deauth to sta: XXXXXX: Ageout AP

Here is what Splunk has

Thank you.

Re: Changing the Year in _time

ITWhisperer — Fri, 14 Apr 2023 15:23:07 GMT

| eval _time=strptime("2015 "._raw,"%Y %b %d %H:%M:%S")

Re: Changing the Year in _time

Macphisto — Fri, 14 Apr 2023 17:46:42 GMT

@ITWhisperer

Thank you. The year changed, but not correctly.

1s try use using the command provided:

index="XXXX"| eval _time=strptime("2015 "._raw,"%Y%b%d %H:%M:%S")

I get the following. The time is blank.

2nd try, I added another eval command. I get this the year as 1969 and the time is off.

index="01-aruba"| eval _time=strptime("2015"._raw,"%Y%b%d %H:%M:%S")
| eval _time="2015"

Re: Changing the Year in _time

ITWhisperer — Fri, 14 Apr 2023 18:52:44 GMT

You don't appear to have included the same spaces that I had in the format string.

Perhaps you could share your raw event in a code block </> so that formatting is preserved?

Re: Is there a way to change the year in _time?

woodcock — Fri, 14 Apr 2023 18:59:18 GMT

You should start all the way over and reindex the data with the correct year. Be sure to modify "MAX_DAYS_HENCE" first.

Re: Is there a way to change the year in _time?

Macphisto — Fri, 14 Apr 2023 21:03:21 GMT

@woodcock

Thank you. How do you input the correct year when inputting the log file? I tried looking for that, but I can't find the answer how to do it.

Re: Is there a way to change the year in _time?

woodcock — Fri, 14 Apr 2023 21:31:22 GMT

You get it wherever you can. In the filenname. In the directory path. In the file createtime. In the file modtime. Somewhere inside of the file. It has to be somewhere.

Re: Is there a way to change the year in _time?

PickleRick — Sat, 15 Apr 2023 16:10:59 GMT

OK. Unless you do some ingest-time magic, splunk assumes that the missing timestamp parts are "current" (with some exceptions; see https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/HowSplunkextractstimestamps for detailed explanation). So as you already ingested your events and they got their timestamp parsed and the events are already indexed you have two (three because one has two variants) options.

1. Delete your already indexed data and ingest it again into a proper time. Which means that you have to either:

1a. use ingest-time evals to "move" them backwards into 2015 or

1b. modify your raw events to include the year in the timestamp

In both cases you might need to configure additional parameters so that Splunk doesn't "ignore" your timestamp because your events are too old. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configuretimestamprecognition#Timestamp_settings

Or you can

2. Leave the data as it is, just modify the timestamp in search time. For example, similar to @ITWhisperer 's solution or just "move" the time backwards if only the year is wrong (your original example shows some more discrepancies between the _time field and the actual timestamp in the raw event so I'm not sure what is really going on in your tdata):

| eval _time=relative_time(_time,"-8y")

The first solution will of course incur additional license usage since you have to re-ingest your data, and the second is not very pretty since your data is still indexed in wrong spot in time. And searching for it is unintuitive.