Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change timestamp value on old data in an index?

vishalduttauk
Path Finder
‎11-07-2022 01:08 AM

Hi there,

I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 02:21 AM

Hi @vishalduttauk,

indexed events cannot be modified, the only way is do delete them and reindiex with the correct timestamp.

Rememeber that devent deletion is only logical, not physical.

Ciao.

Giuseppe

Reply

vishalduttauk
Path Finder
‎11-07-2022 03:54 AM

Thanks @gcusello 

 

I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded.

The method is to use the add data functionality and to upload the txt file to the specified index.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 04:43 AM

Hi @vishalduttauk,

only one information: do you want to use a timestamp contained in the events or to add a fixed one?

if the timestamp is contained in the event, you have only to configure your timestamp recognition to read the correct timestamp from the events.

Ciao.

Giuseppe

Reply

vishalduttauk
Path Finder
‎11-07-2022 05:12 AM

Hi @gcusello 

 

I would like to add the same fixed one for every event within the file which will be uploaded.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 05:27 AM

Hi @vishalduttauk,

this isn't a usual approach, anyway, you could insert the date you want in the filename, then you could add to your $SPLUNK_HOME/etc/datetime.xml the following raw:

 

 

<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>

remembering to rename your file as: mylogs_11-1-2012.log

Ciao.

Giuseppe

Reply

vishalduttauk
Path Finder
‎11-09-2022 02:54 AM

Hi @gcusello 

 

I am implementing that to the existing datetime.xml file. Is this what i should add?

 

</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text>
</define>

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-09-2022 03:50 AM

Hi @vishalduttauk,

"mylogs_01-10-2022.log" is a fixed string and you should use the field containing the field name, I suppose that your file name will change, so you have to use "source" instead "mylogs_01-10-2022.log".

<define name="_masheddate2" extract="month, day, year">
   <text>
      <![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>
   </text>
</define>

It's important that you use this format ("string_dd-mm-yyyy.log") in the filename, otherwise, you have to change the regex.

in the first row you said "month, day, year", instead you have "day, month, year", you have to correct it based on the format you want to use in the file name.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...