Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk takes the wrong timestamp from the log

jorjiana88
Path Finder
‎12-24-2017 01:44 AM

I have a log that has multiple timestamps like this inside, but not all lines have such a date entry.

NOTE: 24DEC17:09:05:53.121 start executig macro main() syscc=0

The log creation date is 2017-12-24 9:05.

Some of the lines in the log are indexed with today's date (it seems to take creation date of the file), and some are indexed as if they were yesterday and at 17:09 instead of 9:05 a.m,: 12/23/17 5:09:05.570 PM

How can I make sure that Splunk takes the correct date ?

Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-24-2017 05:48 AM

@jorjiana88, would it be possible to post the raw sample data of the event where timestamp recognition is not working? What is the format of timestamp on these events (is it date time or just time)?

You can get one of your sample data file and choose Settings --> Add Data --> Upload to Splunk for data preview. Note only first 1000 events in 50 pages will be displayed in the data preview mode. So make sure raw events with incorrect timestamp are in first 1000 events (you can create your own dummy file with such with few correct/incorrect log events sampled from original log files to ingest).

Under the first step in the Data Preview Mode the Set Source Type screen you should verify whether the correct timestamp is getting assigned to events or not. You can use the Timestamps option in this screen to make sure that correct timestamp gets picked up for data being ingested. Once your data preview displays correct timestamp, no need to continue with data ingestion. Under the Advanced section there should be an option to Copy to Clipboard from where you can pick up Timestamp related props.conf configuration and update to your props.conf file in production. Refer to the following few Splunk documentation to understand and configure Timestamp recognition:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Modifyeventprocessing
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-24-2017 05:48 AM

@jorjiana88, would it be possible to post the raw sample data of the event where timestamp recognition is not working? What is the format of timestamp on these events (is it date time or just time)?

You can get one of your sample data file and choose Settings --> Add Data --> Upload to Splunk for data preview. Note only first 1000 events in 50 pages will be displayed in the data preview mode. So make sure raw events with incorrect timestamp are in first 1000 events (you can create your own dummy file with such with few correct/incorrect log events sampled from original log files to ingest).

Under the first step in the Data Preview Mode the Set Source Type screen you should verify whether the correct timestamp is getting assigned to events or not. You can use the Timestamps option in this screen to make sure that correct timestamp gets picked up for data being ingested. Once your data preview displays correct timestamp, no need to continue with data ingestion. Under the Advanced section there should be an option to Copy to Clipboard from where you can pick up Timestamp related props.conf configuration and update to your props.conf file in production. Refer to the following few Splunk documentation to understand and configure Timestamp recognition:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Modifyeventprocessing
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-28-2017 08:28 PM

@jorjiana88,were you able to try out the suggestion? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jorjiana88
Path Finder
‎03-02-2018 02:43 PM

actually we made changes to the software that was generating the logs in order to fix it.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...