Hi
I'm new to Splunk and have what I think is a strange use case (maybe not!). We are capturing logs from an embedded device without a battery powered clock and therefore when booted the device has no reference to the current time. It generates logs from a time of 0 and timestamps the log events with a time offset in
The device does generally get a time reference quite soon after boot from NTP (if network connected) in the log, so I could pre-process the logs, parse out the time and write a valid timestamp for each event by recalculating the offset.
Does anyone have any recommendations?
Thanks
Robert
In this case, I would probably use DATETIME_CONFIG=CURRENT
and just let the indexed time of the event be close enough... I am assuming you are forwarding these over the network, and they will arrive at the indexer within a few milliseconds of being created on the embedded device. If not, this will not work.
You need a reference time - any time source will do according to its accuracy. Without a reference time you're out of luck. You need a reference time.
Thanks for the suggestion, but unfortunately these are logs we pull off the device periodically, not passed in near-real time across the network