Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp extraction - Selecting 2013 instead of 2007

satishsdange
Builder
‎02-26-2015 08:43 PM

I am trying to extract timestamp. But instead of 2007, Splunk is extracting 2013 which is not at all in my event. Could someone please advise me how to fix this problem?

<38>Dec 14 06:24:30 10.2.1.30 SAFEART: Auditnumber="FFFE02F1677334EBBD36",TimeReported="2007/12/14 06:19:29",TimeReceived="2007/12/14

Props.conf

[xxx_logs]
TIME_PREFIX = TimeReported=
TIME_FORMAT = %Y/%m/%d %H:%M:%S
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)<\d{2}>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎02-26-2015 10:20 PM

Here's what's missing from your settings: MAX_DAYS_AGO=4000

If you check out the spec for props.conf you'll see this setting and the explanation:

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**

Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.

You also want to change TIME_PREFIX = Time Reported= to TIME_PREFIX = Time Reported="

If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎02-26-2015 10:20 PM

Here's what's missing from your settings: MAX_DAYS_AGO=4000

If you check out the spec for props.conf you'll see this setting and the explanation:

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**

Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.

You also want to change TIME_PREFIX = Time Reported= to TIME_PREFIX = Time Reported="

If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...