Archive2

How does Splunk determine the date, when there is no date stamp in the event?

Builder

Can someone explain how Splunk goes about working out what date to assign to an event, if the log text itself does not contain a date?

My reason for asking...

I'm having trouble indexing a particular file, that only contains a timestamp. Logs look something like this:

14:00:15:049#L2Invision.cpp471#[6036] Record update:RD461, seq=542
14:00:15:049#L2Invision.cpp697#[6036] Data: '10002SU5W'
14:00:15:049#ClientEnd.cpp1455#[6036] CClientEnd::ServiceUpdate::Account=RD461, fields=1, field[10002]='INV'

Originally, it was not breaking correctly, so I configured props.conf like this:

[L2OTC_XCONTradingTrace]
TIME_PREFIX = ^
TIME_FORMAT = %H:%M:%S:%3N
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n])+(?=\d{1,2}:\d{2}:\d{2}:\d{3}#)

Splunk is currently correctly taking the timestamp, but incorrectly assigning tomorrow's date to it (causing some problems with search time ranges). I'd like to know why Splunk is deciding to do this, so I can investigate further.

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Please see the "Precedence rules" for timestamp recognition: http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

Basically:

  1. Use TIME_FORMAT and TIME_PREFIX on the raw text
  2. Use datetime.xml, or file otherwise specified in DATETIME_CONFIG, on the raw text
  3. Use timestamp of previous event in the source
  4. Use datetime.xml on the source name
  5. Use source file modification time if applicable and available
  6. Use the current indexer system time

These steps are logically done separately for time stamps and dates.

View solution in original post

Splunk Employee
Splunk Employee

Please see the "Precedence rules" for timestamp recognition: http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps

Basically:

  1. Use TIME_FORMAT and TIME_PREFIX on the raw text
  2. Use datetime.xml, or file otherwise specified in DATETIME_CONFIG, on the raw text
  3. Use timestamp of previous event in the source
  4. Use datetime.xml on the source name
  5. Use source file modification time if applicable and available
  6. Use the current indexer system time

These steps are logically done separately for time stamps and dates.

View solution in original post

Splunk Employee
Splunk Employee