Splunk Search

How to change timestamp value on old data in an index?

vishalduttauk
Path Finder

Hi there,

I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vishalduttauk,

indexed events cannot be modified, the only way is do delete them and reindiex with the correct timestamp.

Rememeber that devent deletion is only logical, not physical.

Ciao.

Giuseppe

vishalduttauk
Path Finder

Thanks @gcusello 

 

I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded.

The method is to use the add data functionality and to upload the txt file to the specified index.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vishalduttauk,

only one information: do you want to use a timestamp contained in the events or to add a fixed one?

if the timestamp is contained in the event, you have only to configure your timestamp recognition to read the correct timestamp from the events.

Ciao.

Giuseppe

vishalduttauk
Path Finder

Hi @gcusello 

 

I would like to add the same fixed one for every event within the file which will be uploaded.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vishalduttauk,

this isn't a usual approach, anyway, you could insert the date you want in the filename, then you could add to your $SPLUNK_HOME/etc/datetime.xml the following raw:

 

 

<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>

remembering to rename your file as: mylogs_11-1-2012.log

Ciao.

Giuseppe

vishalduttauk
Path Finder

Hi @gcusello 

 

I am implementing that to the existing datetime.xml file. Is this what i should add?

 

</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text>
</define>

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vishalduttauk,

"mylogs_01-10-2022.log" is a fixed string and you should use the field containing the field name, I suppose that your file name will change, so you have to use "source" instead "mylogs_01-10-2022.log".

<define name="_masheddate2" extract="month, day, year">
   <text>
      <![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>
   </text>
</define>

It's important that you use this format ("string_dd-mm-yyyy.log") in the filename, otherwise, you have to change the regex.

in the first row you said "month, day, year", instead you have "day, month, year", you have to correct it based on the format you want to use in the file name.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...