Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Timestamp Issue in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timestamp Issue in Splunk
Hi,
I am using Splunk for the first time.
I tried looking for the answer in the blogs however the answers were not able to help me.
I have a problem that when i am running a search in splunk it is not taking correct timestamp for some of my log files.
For Eg: for date 5/06/12 -- 5th June, it is returning data as 6th May and for 07/06/12 -- it is giving the correct data. However, at times it is not giving data in 5th june or 6th may. So, in short it is behaving unconsistently.
This is the timestamp from sample log file:
RTS_WS974 05/06/12 01:47:40.722 [20:23:48.870]
I tried updating the props.conf file with this:
TIME_FORMAT = %d/%m/%y %k:%M:%S
for all occurances of TIME_FORMAT in the conf file however i am still facing the same issue.
Any help would be highly appreciated.
Regards,
Shweta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you restarted Splunk after doing these changes? Are you looking at changes in data that comes in after restart only? The changes will not affect timestamps for events that have already been indexed.
EDIT: No, you cannot change the timestamp values for events that are already in the index. You could look at some workarounds if you're interested: http://splunk-base.splunk.com/answers/49888/can-we-modify-a-wrong-timestamp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated my answer to include info about timestamps that are already in the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply.
Yes i restarted splunk.Is there any way to get the changes in data that was already indexed before the restart?
because i am using trial version and can only upload 500mb in a day and i have a lot of data already uploaded for analysis. So this way i am losing all the efforts i spent in past few days in data upload.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
