Getting Data In

Timestamp preview different than timestamp in search

gunderjt
Explorer

Hello All,

Simply put, I can successfully detect the timestamp of an event while in preview mode
During Preview (note the event time distribution in the right corner)

But when I begin searching the data, the timestamp is replaced by the current date and each event has a timestamp=none In Search

Can someone hint at what I might be doing wrong?

Tags (2)
0 Karma
1 Solution

vincesesto
Communicator

Hi Gunderjt,

Yeah, I typed out sample data from the images you posted and had the same issue. I think that splunk may have been getting confused with the multiple date values in the event and as a result, could not decide how to set the date correctly.

Either way, I have been able to get it to work by adding the TIME_PREFIX option set to the start of the line(^), and have got the following props config top work:
[DoIt1]
MAX_DAYS_AGO = 10900
NO_BINARY_CHECK = 1
TIME_PREFIX = ^
pulldown_type = 1

I hope this works for you and if not...let me know and I will try to find a different way around this.

Regards, Vince

View solution in original post

vincesesto
Communicator

Hi Gunderjt,

Yeah, I typed out sample data from the images you posted and had the same issue. I think that splunk may have been getting confused with the multiple date values in the event and as a result, could not decide how to set the date correctly.

Either way, I have been able to get it to work by adding the TIME_PREFIX option set to the start of the line(^), and have got the following props config top work:
[DoIt1]
MAX_DAYS_AGO = 10900
NO_BINARY_CHECK = 1
TIME_PREFIX = ^
pulldown_type = 1

I hope this works for you and if not...let me know and I will try to find a different way around this.

Regards, Vince

gunderjt
Explorer

That did it! Thanks a lot 🙂

0 Karma

hvaithia
Path Finder

Hi,

I have a very similar issue too. I have posted it in
http://answers.splunk.com/answers/233542/timestamp-preview-different-than-timestamp-in-sear.html

The solution you gave did not work for me. I tried the time_prefix values
TIME_PREFIX=^\"timestamp\":\s\"
TIME_PREFIX="timestamp":
Nothing so far, any clues?

0 Karma

vincesesto
Communicator

Hi gunderjt,

I can see that your source type has TIME_FORMAT set, but does it also have a TIME_PREFIX value set. This is usually found in your props.conf, usually in /opt/splunk/etc/system/local/. You could also set the BREAK_ONLY_BEFORE_DATE = true option and see if this corrects the issue.

Please feel free to post the entry for the props.conf file, and I would be happy to take a look at it.

Lastly, when you are setting up the sourcetype through manual import, there is the Timestamps tab which can also perform these changes for you.

Please let me know if you have any questions.

Regards,

Vince

gunderjt
Explorer

Thank you for you help Vince,

I don't have a TIME_PREFIX as the timestamp is the first half a dozen characters in an event. I also put the "BREAK_ONLY_BEFORE_DATE = true" command into the props.conf file. But to no avail.

Here is the props.conf sourcetype:

[DoIt1]
BREAK_ONLY_BEFORE_DATE = true
CHECK_FOR_HEADER = true
KV_MODE = none
MAX_DAYS_AGO = 10900
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = False
TIME_FORMAT = %m/%d/%Y
pulldown_type = 1

Like I said, during the preview when I'm setting up my timestamp configuration, it works just fine, but breaks in the search app.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...