Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't the indexed time change?

spisiakmi
Communicator
‎09-22-2022 06:07 AM

Hi, can anybody help, please? I'm using classical forwarder to index regular CSV file. The time/date of the CSV logFile changes always if a new entry comes. Each event has TIME Attribute. If I choose time interval TODAY there have been indexed 100 events. The indexed time _time is always the same (similar to the time of the first event). The time attribute of each event changes of course. Does anybody have an idea, where is the problem? If I restart the forwarder, the problem appears on the next day.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-22-2022 08:35 AM

Hi Giuseppe,

I stopped splunk fw and defined DATETIME_CONFIG = CURRENT in props.conf. After that I started the service again and I will run it till tomorrow. I will observe if all events become the proper _time. I think, it could help. I cannot combine these 2 time/date variables, because it isn't the real time of the event. I will let you know. Thank you and enjoy the day.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 07:03 AM

Hi @spisiakmi,

if in your csv file have a column containing a timestamp, you can use it as timestamp for the event.

If you haven't a timestamp, to each event is assigned the timestamp of the indexing moment.

having your events the tIME attribute, you have to teach your sourcetype to use it as timestamp, indicating the column name and the format.

here you can find some help:

https://hurricanelabs.com/splunk-tutorials/ingesting-a-csv-file-into-splunk/

https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-spreadsheets-in-splunk-excel-csv-file...

The easiest approach is to use the manual GUI Add data feature to find the correct sourcetype and then use it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎09-22-2022 08:16 AM

Hi Giuseppe,

 

thank you very much for a help. I have 2 important attributes in the event. Time and Date. How it is possible to define indextime from these 2 attributes?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 08:20 AM

Hi @spisiakmi,

as I said, follow the guided Add data feature.

If you don't reach to do, you can manually configure TIME_FORMAT parameter.

but for this, I need a sample of your logs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

spisiakmi
Communicator
‎09-22-2022 08:35 AM

Hi Giuseppe,

I stopped splunk fw and defined DATETIME_CONFIG = CURRENT in props.conf. After that I started the service again and I will run it till tomorrow. I will observe if all events become the proper _time. I think, it could help. I cannot combine these 2 time/date variables, because it isn't the real time of the event. I will let you know. Thank you and enjoy the day.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 01:08 PM

Hi @spisiakmi,

ok, let me know,

if one answer solves your need, please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...