Getting Data In
Highlighted

Timestamp preview different than timestamp in search

Explorer

Hello All,

Simply put, I can successfully detect the timestamp of an event while in preview mode
During Preview (note the event time distribution in the right corner)

But when I begin searching the data, the timestamp is replaced by the current date and each event has a timestamp=none In Search

Can someone hint at what I might be doing wrong?

Tags (2)
0 Karma
Highlighted

Re: Timestamp preview different than timestamp in search

Communicator

Hi gunderjt,

I can see that your source type has TIMEFORMAT set, but does it also have a TIMEPREFIX value set. This is usually found in your props.conf, usually in /opt/splunk/etc/system/local/. You could also set the BREAKONLYBEFORE_DATE = true option and see if this corrects the issue.

Please feel free to post the entry for the props.conf file, and I would be happy to take a look at it.

Lastly, when you are setting up the sourcetype through manual import, there is the Timestamps tab which can also perform these changes for you.

Please let me know if you have any questions.

Regards,

Vince

Highlighted

Re: Timestamp preview different than timestamp in search

Explorer

Thank you for you help Vince,

I don't have a TIMEPREFIX as the timestamp is the first half a dozen characters in an event. I also put the "BREAKONLYBEFOREDATE = true" command into the props.conf file. But to no avail.

Here is the props.conf sourcetype:

[DoIt1]
BREAKONLYBEFOREDATE = true
CHECK
FORHEADER = true
KV
MODE = none
MAXDAYSAGO = 10900
NOBINARYCHECK = 1
SHOULDLINEMERGE = False
TIME
FORMAT = %m/%d/%Y
pulldown_type = 1

Like I said, during the preview when I'm setting up my timestamp configuration, it works just fine, but breaks in the search app.

0 Karma
Highlighted

Re: Timestamp preview different than timestamp in search

Communicator

Hi Gunderjt,

Yeah, I typed out sample data from the images you posted and had the same issue. I think that splunk may have been getting confused with the multiple date values in the event and as a result, could not decide how to set the date correctly.

Either way, I have been able to get it to work by adding the TIMEPREFIX option set to the start of the line(^), and have got the following props config top work:
[DoIt1]
MAX
DAYSAGO = 10900
NO
BINARYCHECK = 1
TIME
PREFIX = ^
pulldown_type = 1

I hope this works for you and if not...let me know and I will try to find a different way around this.

Regards, Vince

View solution in original post

Highlighted

Re: Timestamp preview different than timestamp in search

Explorer

That did it! Thanks a lot 🙂

0 Karma
Highlighted

Re: Timestamp preview different than timestamp in search

Path Finder

Hi,

I have a very similar issue too. I have posted it in
http://answers.splunk.com/answers/233542/timestamp-preview-different-than-timestamp-in-sear.html

The solution you gave did not work for me. I tried the timeprefix values
TIME
PREFIX=^\"timestamp\":\s\"
TIME_PREFIX="timestamp":
Nothing so far, any clues?

0 Karma