After 12:59 PM slpunk is indexing data to 1:AM. It should index data for 24 hours but it is indexing for 12 hours only however 1:PM data are getting indexed in 1Am so I have two events in 1 am time stamp Below is my
DATETIME_CONFIG=CURRENT NO_BINARY_CHECK = 1 pulldown_type = 1 TIME_FORMAT = %H:%M TZ = US/Eastern SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE = \d\d:\d\d+\s*$ MAX_TIMESTAMP_LOOKAHEAD = 50
Can you give some sample of your time format. So if you also have seconds and milliseconds in your events, then you will have to change your TIME_FORMAT in props.conf as below:
Just to expand on previous comments - it is indexing for 24 hours, but the lack of AM/PM data is resulting in everything being in AM.
If you source data cannot be adjusted to include more time information, then as @thomast_splunk suggests one option would be to just use the whatever the current time and date is when splunk receives the event for processing.
DATETIME_CONFIG = NONE is another option:
* "NONE" will leave the event time set to whatever time was selected by the input layer * For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read. * For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc.
This page is a good primer on how Splunk assigns timestamps if you want more details:
May want to just use index time if in the same timezone - or keep that in mind for this particular sourcetype
[sourcetypeName] DATETIME_CONFIG = CURRENT
Hi Micahkemp thank you for your reply
I dont have am pm on my event logs
this is my logs generated at 12:01 AM---> 12:01 Info [tasks_advancemedia_aspx]
and this was generated at 12:01 PM --> 12:01 Info [WorkerService] RTAEncode acm status
Also I wanted to break event according to time I have another log at same time ---> 12:01 Error [lambda_method] Unable how would I break event with same time but different logs, I tried BREAK_ONLY_BEFORE = ^\d\d:\d\d+\s but it did not work.
So your events look like:
12:01 <-- 12:01 AM 01:01 <-- 1:01 AM ... 12:01 <-- 12:01 PM 01:01 <-- 1:01 PM
Which would mean you don't have AM/PM or 24-hour format. That sounds less than ideal to say the least.