Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to debug timestamp assignment issues?

Derek
Path Finder
‎01-13-2011 05:00 PM

Hi,

I have a log file that when ingested using a one shot, all but 3 of the events get stamped with the correct date/time. The 3 events all have the time in them and get stamped with the correct time but since the date is not in the event end up with a date that is not either the current date or the date of the last modification time of the file.

When reviewing "Precedence rules for timestamp assignment" at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps it would seem like step #5 and #6 should kick in since most likely #4 does not happen because splunk is most likely not going to parse the date out of the source name which is not of a standard format.

How can I debug what is happening?

Thanks!

Tags (2)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎01-14-2011 11:22 AM

If you could provide a sample event line for us and what timestamp splunk gives it versus what timestamp it should get then that may help us figure out a way to get the correct timestamp in there.

0 Karma
Reply

Derek
Path Finder
‎01-13-2011 08:29 PM

That's the weird part. The date that shows up on the events is neither the system time or the last mod time on the file. The events in question do not have any kind of date in them that it finds based on the analysis in the answer below. The only thing is that these records happen consecutively and so the first one gets the correct date given step #3 in the timestamp precedence but the subsequent ones get this random date...

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-13-2011 09:04 PM

You just asked for debugging info. If you want us to help you debug, please provide more details in your original post - what OS, what do the raw events look like, what timestamp does Splunk end up giving them?

0 Karma
Reply

Derek
Path Finder
‎01-13-2011 08:25 PM

I checked the answer out but my the _time and the analysis of the time positions show that the date isn't in what it's finding. So how can I debug the timestamp assignment precedence as it relates to the date?

0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎01-13-2011 05:27 PM

can you see which date is being used? Is it using the system time?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...