Getting Data In

Time stamp of historical syslog data gets incorrectly set to the current year

hexx
Splunk Employee
Splunk Employee

I have some syslog-like data from 2008 that I'd like to index with Splunk :


Mar 7 13:33:21 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:23 beefysup01 last message repeated 11 times
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'
Mar 7 13:33:23 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:33:54 beefysup01 last message repeated 153 times
Mar 7 13:34:20 beefysup01 last message repeated 95 times
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid legacy unicast query packet.
Mar 7 13:34:20 beefysup01 avahi-daemon[3264]: Invalid query packet.
Mar 7 13:34:25 beefysup01 last message repeated 36 times
Mar 7 13:34:27 beefysup01 avahi-daemon[3264]: Recieved repsonse with invalid source port 53436 on interface 'eth0.0'

Unfortunately, as these events have no year, Splunk assigns the current year (2012) to them!

Is there any way that I can tell Splunk to index this file using the actual year of origin (2008) as part of the time stamp?

Tags (1)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Sure, you can use the touch command on the file where the historical data resides to set its modification time to 2008, and Splunk will then index the data using that year as part of the time stamp extraction. I ran into this behavior, and I resolved the issue by doing this:

touch -t 200804071105 test.log

One extra piece of advice : Use MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction and keep Splunk from interpreting a string in the raw data as the year.

On the example above, you would specify :

MAX_TIMESTAMP_LOOKAHEAD = 15

Hope this Helps!

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...