Getting Data In

Date without year, wrong index.

Engager

Hello...

I'm having some trouble in indexing some log files, because of the format they are.

Example:

11/12 22:54:31.87:8becc368:02:00:sradisk : verify requests 7629376 (645/sec)

As you can see, there's no year on the date. The format is Month/Date only.

My problem is, Splunk is indexing this like:

12/22/11
10:54:31.800 PM

So, It's getting the hour of the event and using it as the day. Getting the month and using it as a year, and the day becomes the month!

I'm wondering if there's a way to solve this, since some of my logs normally does not have the year field.

Thanks a lot,

Thiago

Builder

Not too sure if this applies here, but you could use this;
rename "datemday" as "Day" "time" as "Time" | convert timeformat=%H.%M ctime(Time) |table Day, Time

What this does is puts it in a table, but it will still show if you click visualization. Obviously this would require some editing but you could use something similar.

0 Karma

Contributor

Hi,

I had a similar problem and the following worked for my case:

TZ = Europe/Dublin
TIME_FORMAT = %m/%d %H:%M:%S
EXTRACT-fields = (?im)^((?P<TIMESTAMP>\d{2}/\d{2}\s\d{2}:\d{2}:\d{2})\s

in the props.conf file
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Splunk Employee
Splunk Employee

the only .conf files that exist by default upon installation of Splunk are the ones in /etc/system/default.

you must create your own copy of the relevant .conf file in /etc/system/local to define personal settings. in this particular case, you should first read:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles for information on how to use configuration files

and then read:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition for specifics on timestamping issues

0 Karma

Engager

Hi there!

Sorry, but I'm new to Splunk. Where should I put those lines?

I'm trying to find the file that I can define the personal filters, but can't found it.

Thanks.