Getting Data In

Logs with no timestamp incorrectly getting date from file name

gpullis
Communicator

I have a sourcetype where Splunk is correctly getting the time stamp from the events, but the events don't contain a date.

Unfortunately the logs are named like:

rkj050508_d0373452.broomecounty.us.tracesql

Where 050508 is part of a username, and not a date. But, sure enough, Splunk thinks the events are from 2008-05-05.

Is there a way to get the date from index-time, but get the time from the timestamp?

Tags (2)

jbsplunk
Splunk Employee
Splunk Employee

I would suggest using DATETIME_CONFIG = current in props.conf for the sourcetype the data is assigned. I think it has a decent chance at telling splunk to use the system current timestamp for the event. You can also try to specify a TIME_FORMAT, TIME_PREFIX, and MAX_TIMESTAMP_LOOKAHEAD in props.conf to tell splunk what the time format is, where to look for the timestamp, and how many characters the timestamp contains. If there isn't a date in the file, just don't specify one. The default behavior is that when the log doesn't contain a date, to revert to the mod time of the file for the date. Hopefully this will get you close to what you'd like to see.

http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition

0 Karma

gpullis
Communicator

Actually, the default behavior appears to be to look for a date in the filename if it can't find a date in the event.

jbsplunk
Splunk Employee
Splunk Employee

I edited my answer to reflect what I would suggest given this information.

0 Karma

gpullis
Communicator

Thanks, but what I'd like to do is use the timestamp from the log entry plus the modification date of the file to form the timestamp for the event. Is there a way to do that?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...