Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs being ingested to previous date as there is no date in the timestamp

vishnumaheshch
Engager
‎06-25-2018 11:05 AM

The logs doesn't contain date in them and so the events ingested into splunk are going to previous date.

Following are some of the events from splunk

05:50:41.426: GenHttpRequest() with id: 216526 created
05:50:41.426: HttpSocket selected for http://10.93.78.16:8800/
05:50:36.715: GenHttpRequest with id: 216525 destroyed
05:50:36.715: Socket fd=956, Message Length:224

What could be the best props I can configure to get the correct date to show up in Splunk?

Tags (1)
0 Karma
Reply

vishnumaheshch
Engager
‎06-26-2018 12:03 PM

Sometimes, there was a lag in the log flow into Splunk, so was not able to use DATETIME_CONFIG = CURRENT config

Is there any way that the date is picked up from filename and time from events?

0 Karma
Reply

adonio
Ultra Champion
‎06-26-2018 12:22 PM

not that i am aware of, but you can do it at search time ...

| rex field=source "regex that capture date"
| eval new_time_string = "field_from_rex_above". + ."time_field_from_event"
| eval _time = strftime(new_time_string, "time_format")

the above is a formula, you will have to apply the right rules for your use

0 Karma
Reply

adonio
Ultra Champion
‎06-25-2018 04:32 PM

if the events are generated and indexed in close time proximity, you can use :
DATETIME_CONFIG = CURRENT in props.conf

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" will set the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.

read more here:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Propsconf

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...