Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't the indexed time change?

spisiakmi
Communicator
‎09-22-2022 06:07 AM

Hi, can anybody help, please? I'm using classical forwarder to index regular CSV file. The time/date of the CSV logFile changes always if a new entry comes. Each event has TIME Attribute. If I choose time interval TODAY there have been indexed 100 events. The indexed time _time is always the same (similar to the time of the first event). The time attribute of each event changes of course. Does anybody have an idea, where is the problem? If I restart the forwarder, the problem appears on the next day.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-22-2022 08:35 AM

Hi Giuseppe,

I stopped splunk fw and defined DATETIME_CONFIG = CURRENT in props.conf. After that I started the service again and I will run it till tomorrow. I will observe if all events become the proper _time. I think, it could help. I cannot combine these 2 time/date variables, because it isn't the real time of the event. I will let you know. Thank you and enjoy the day.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 07:03 AM

Hi @spisiakmi,

if in your csv file have a column containing a timestamp, you can use it as timestamp for the event.

If you haven't a timestamp, to each event is assigned the timestamp of the indexing moment.

having your events the tIME attribute, you have to teach your sourcetype to use it as timestamp, indicating the column name and the format.

here you can find some help:

https://hurricanelabs.com/splunk-tutorials/ingesting-a-csv-file-into-splunk/

https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-spreadsheets-in-splunk-excel-csv-file...

The easiest approach is to use the manual GUI Add data feature to find the correct sourcetype and then use it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-22-2022 08:16 AM

Hi Giuseppe,

 

thank you very much for a help. I have 2 important attributes in the event. Time and Date. How it is possible to define indextime from these 2 attributes?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 08:20 AM

Hi @spisiakmi,

as I said, follow the guided Add data feature.

If you don't reach to do, you can manually configure TIME_FORMAT parameter.

but for this, I need a sample of your logs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-22-2022 08:35 AM

Hi Giuseppe,

I stopped splunk fw and defined DATETIME_CONFIG = CURRENT in props.conf. After that I started the service again and I will run it till tomorrow. I will observe if all events become the proper _time. I think, it could help. I cannot combine these 2 time/date variables, because it isn't the real time of the event. I will let you know. Thank you and enjoy the day.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 01:08 PM

Hi @spisiakmi,

ok, let me know,

if one answer solves your need, please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...