Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Time stamp of historical syslog data gets incorrectly set to the current year

hexx
Splunk Employee
Splunk Employee
‎02-07-2012 01:48 PM

I have some syslog-like data from 2008 that I'd like to index with Splunk :


Mar 7 13:33:21 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:23 beefysup01 last message repeated 11 times
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:54 beefysup01 last message repeated 153 times
Mar 7 13:34:20 beefysup01 last message repeated 95 times
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid legacy unicast query packet.
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:34:25 beefysup01 last message repeated 36 times
Mar 7 13:34:27 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'

Unfortunately, as these events have no year, Splunk assigns the current year (2012) to them!

Is there any way that I can tell Splunk to index this file using the actual year of origin (2008) as part of the time stamp?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-07-2012 01:53 PM

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-07-2012 01:53 PM

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...