Getting Data In

Time stamp of historical syslog data gets incorrectly set to the current year

hexx
Splunk Employee
Splunk Employee

I have some syslog-like data from 2008 that I'd like to index with Splunk :


Mar 7 13:33:21 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:23 beefysup01 last message repeated 11 times
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:54 beefysup01 last message repeated 153 times
Mar 7 13:34:20 beefysup01 last message repeated 95 times
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid legacy unicast query packet.
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:34:25 beefysup01 last message repeated 36 times
Mar 7 13:34:27 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'

Unfortunately, as these events have no year, Splunk assigns the current year (2012) to them!

Is there any way that I can tell Splunk to index this file using the actual year of origin (2008) as part of the time stamp?

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!