topic Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field? in Splunk Search

Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Thu, 07 May 2015 12:45:24 GMT

Hi
I have log file which create every 1 hr so they not have date field but splunk Automatically provide different date to every event
So when i use time search betwwen some specific time. The search fail due to different date auto provide by splunk.
I need to give one date to every event or remove date field so i able to search particular time.

My log file demo:
07:33:41.571|0071540|1|49| |O|Created send socket [447.0.0.1:1618]
07:33:41.571|0071540|1|49| |O|Sending 319 byte request to Handler

Please give any solution

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

richgalloway — Thu, 07 May 2015 12:49:43 GMT

What is the search that is failing?

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

srinathd — Thu, 07 May 2015 12:51:49 GMT

you can use _indextime in the search query to retrieve

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Thu, 07 May 2015 15:05:51 GMT

You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:

TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S

This should make events that have the same time to have the same timestamp, which I believe is what you would like. Splunk may not like that this does not specify a date. Is the date encoded in the log filename? If so, we can use datetime.xml to access it.

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Fri, 08 May 2015 04:49:00 GMT

when i select time like 7:10:00.000 to 7:30:00.000 then they not show result because the date part in not same date which auto provided by splunk

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Mon, 28 Sep 2020 19:56:08 GMT

hi sir,
I use
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S.%3N but first time they show current date but after some time date
again differ
i try use TIME_PREFIX=2015-05-09
but when search they show date 2015-05-011
means they not work any other way to set date

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Mon, 11 May 2015 13:01:53 GMT

TIME_PREFIX does not tell Splunk to add this prefix to your timestamp in each event, it is a REGEX applied to the event to tell Splunk where to have the parser begin looking for the timestamp inside each event.

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Mon, 11 May 2015 17:55:25 GMT

but inside event date field not present only time field present
.so i want declarer my own date at a time of indexing or time searching but i don't now how i do this?

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Mon, 11 May 2015 18:14:41 GMT

Test what I gave you and see what Splunk does when you let it figure out the date without you telling Splunk where to find it. If you don't like what Splunk does by default, then use datetime.xml to hardcode something or pull the date from somewhere else (filename, modtime, etc.).

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Tue, 12 May 2015 05:36:08 GMT

But if i change in datetime.xml then they effect other log also so what i do for single log?

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Tue, 12 May 2015 07:44:46 GMT

i create folder with date so now i try to set date but i try with datetime.xml but fail

 C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log

If you see before log2.log you get folder 20150511 This is date
if you expend 20150511 this yyyymmdd

i try in xml is

&lt;define name="_masheddate2" extract="month, day, year"&gt;
    &lt;text&gt;&lt;![CDATA[(?:^|C:\Program Files\Splunk\etc\apps\search::).*?(20\d{2})(\d{2})(\d{2})]]&gt;&lt;/text&gt;
&lt;/define&gt;

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Tue, 12 May 2015 14:50:40 GMT

You do not have to use the global datetime.xml; create one inside your app that you reference directly that has only your configuration.

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Mon, 28 Sep 2020 19:53:17 GMT

Try this for your datetime.xml (hopefully markdown will not mangle the text):
<datetime>
<define name="_dateFromDirectorySegment" extract="year, month, day">
<text><![CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]]></text>
</define>
<define name="_timeFromEventData" extract="hour, minute, second, subsecond">
<text><![CDATA[^(\d{2}):(\d{2}:(\d{2}.(\d{3}]]></text>
</define>
<timePatterns>
<use name="_timeFromEventData"/>
</timePatterns>
<datePatterns>
<use name="_dateFromDirectorySegment"/>
</datePatterns>
</datetime>

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

woodcock — Tue, 12 May 2015 16:35:42 GMT

Do note that markdown removed all the backslashes from in from of my "(d{2})" an "(d{4})" strings, so you will have to put them back.

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Tue, 12 May 2015 19:17:12 GMT

ya i create new datetime
but today i try with file path at place of source in satetime.xml
i try this in office tomorrow

Re: Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss — Tue, 12 May 2015 19:17:45 GMT

thanks sir