Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Manually configure timestamp at index time from custom datetime.xml

bizza
Path Finder
‎05-05-2014 02:18 AM

I tried to configure a custom datetime.xml (for my first time) as follow:

<datetime>

<define name="csdate" extract="year, month, day, hour, minute">
        <text><![CDATA[[\s\S]{40}(\d{4})(\d{2})(\d{2})[\s\S]{206}(\d{2})(\d{2})]]></text> 
</define>

<timePatterns>
    <use name="csdate"/>
</timePatterns> 

<datePatterns>
    <use name="csdate"/>
</datePatterns>
</datetime>

Regex match exactly year, mont, day, hour and minute.
In props.conf I added

DATETIME_CONFIG = /etc/system/local/datetime.xml

SHOULD_LINEMERGE = FALSE

TIME_FORMAT = %Y%m%d%H%M

Any ideas why data are not indexed with resulting timestamp?
I tried to split in 2 regex, for timePatterns and datePatterns match, but the result is still the same.

Or do you suggest a different way to achieve timestamp override at index time?

Regards

Reply
1 Solution
Solved! Jump to solution
Solution

abonuccelli_spl
Splunk Employee
Splunk Employee
‎05-28-2014 08:22 AM

Problem here I believe was due to actual timestamps in raw event past the default (MAX_TIMESTAMP_LOOKAHEAD) 150 chars.

View solution in original post

Reply
Solved! Jump to solution
Solution

abonuccelli_spl
Splunk Employee
Splunk Employee
‎05-28-2014 08:22 AM

Problem here I believe was due to actual timestamps in raw event past the default (MAX_TIMESTAMP_LOOKAHEAD) 150 chars.

Reply
Solved! Jump to solution

bizza
Path Finder
‎06-05-2014 01:05 AM

Yes, problem was MAX_TIMESTAMP_LOOKAHEAD.
Thanks for your help guys

ciao

0 Karma
Reply
Solved! Jump to solution

abonuccelli_spl
Splunk Employee
Splunk Employee
‎06-04-2014 01:32 AM

MMM, well it works for me...
Bizza should be able to confirm
Antonio

0 Karma
Reply
Solved! Jump to solution

marcoscala
Builder
‎06-04-2014 01:22 AM

Antonio,
I'm afraid but that's not the case either. In his/her case, date and time are splitted in the event data, so usual timeformat is more complex to manage. Unfortunately we can't use REGEX for TIME_FORMAT, otherwise that was the solution.

Marco

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-05-2014 12:09 PM

You don't need a custom datetime.xml - I wouldn't do it that way. It is complicated and unnecessary.

In props.conf all you should need is

SHOULD_LINEMERGE = FALSE
TIME_FORMAT = %Y%m%d%H%M

Assuming that your timestamp looks like

201405021209

If not, please comment with an example or two of the timestamp.

0 Karma
Reply
Solved! Jump to solution

bizza
Path Finder
‎05-05-2014 01:48 PM

Yes, I added the --Y --m ecc only to show where timestamp fields are.
Ignore it and you'll have the original log line.

0 Karma
Reply
Solved! Jump to solution

nitesh218ss
Communicator
‎05-11-2015 11:09 PM

Hi in my log event and filename date is not present i want give a fix date to log so what is do ?

0 Karma
Reply
Solved! Jump to solution

lmyrefelt
Builder
‎05-05-2014 01:40 PM

Did you add the --Y and --m into the event example as an clarification ?
otherwise you could try;
TIME_PREFIX = \d{numberOfDigits}\s++
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y%m%d
TIME_FORMAT = --Y%Y--m%m--d%d

0 Karma
Reply
Solved! Jump to solution

bizza
Path Finder
‎05-05-2014 12:16 PM

The problem is that timestamp is splitted on every lines.
For example:

204023600511105443000 20140422--Y2014--m04--d180000000005.0600000000000041096125031ABDCE 81234567 ABDCE F & C 10024 ABDCE F & C 45399700123456789000000000.104023600582105443000 386511186636492--H15--M36PSBP

every line has 300 characters(digits), fields are position-sensitive.
I added --Y, --m, --d, --H and --M just before timestamp fields.

I believe that a custom datetime.xml is my only option.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...