How to get system time for each events indexed fil...

snehalk · ‎06-02-2017

Hello Everyone,

I have text files where there is no datetime in it, but my required is need to get each line as one event with indexing time ( that willbe system time).

I have used below props.conf but still its having same datetime for all the events in the file.

[test]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false

That is one file is having 100 lines as events and for all of that it has same timestamp.

Can any one help me where am going wrong

Thanks you

somesoni2 · ‎06-07-2017

You wanted to assign current time (time when Splunk sees/read the event) to be assigned as timestamp of the event, which it's doing correctly. Splunk has capacity to process multiple events at almost at the same time and they'll have same timestamp. What is your expected behivour?

snehalk · ‎06-28-2017

Hello somesoni2,

Thanks for reply, Yes, as you mentioned its taking almost all the events at same time, and because of this the splunk search performance is not good and also am getting other error too, so because of this i though if splunk has at least each event in different timestamp, then it will resolve all other issues. Is there any way to achieve this?

Thanks

yannK · ‎06-07-2017

I think that it cannot be achieved if your events do not have a timestamp in it.

As best splunk can assign the current timestamp to the events (DATETIME_CONFIG = CURRENT), it will be the indextime timestamp of the time splunk read the events from the file (not necessarily the mod time of the file or the line in the file).
As splunk will read them in a batch, several events will have the same timestamp.

If you can change your application to write the timestamp in the event, it will be possible.

nit123 · ‎06-02-2017

use time.time() to mark each one event by its time of creation to Splunk.

snehalk · ‎06-02-2017

Hello nit123,

Thank you for response, where i need to use this attribute? in props.conf file?

nit123 · ‎06-02-2017

In the python script that pulls data into Splunk and ingests it to some index.
The script will set value to CREATION_DATETIME and LAST_UPDATE_DATETIME in props.conf
In prop.conf , have something like

[StanzaName]
SHOULD_LINEMERGE = true
KV_MODE = auto
TIME_PREFIX=:\s|CREATION_DATETIME="|LAST_UPDATE_DATETIME="
TIME_FORMAT=%Y-%m-%dT%H:%M:%

If this information helps, reward points and accept answer. Thanks.

snehalk · ‎06-02-2017

Hello Nit123,

i have used below props.conf, but still am not getting different timestamp for each events.

[test]
SHOULD_LINEMERGE = true
KV_MODE = auto
TIME_PREFIX=:\s|CREATION_DATETIME="|LAST_UPDATE_DATETIME="
TIME_FORMAT=%Y-%m-%dT%H:%M:%

nit123 · ‎06-05-2017

Can you share the extract of your code for better understanding.

snehalk · ‎06-07-2017

Hello Nit123,
I have fixed length text files where there is no timestamp, and because of this Splunk by default adding 10000(say one file contain) events in one timestamp,
Is there any ways where i can atleast bundle 100 events ?

How to get system time for each events indexed file splunk

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Changes to Splunk Instructor-Led Training Completion Criteria