Hi @vishalduttauk,
indexed events cannot be modified, the only way is do delete them and reindiex with the correct timestamp.
Rememeber that devent deletion is only logical, not physical.
Ciao.
Giuseppe
Thanks @gcusello
I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded.
The method is to use the add data functionality and to upload the txt file to the specified index.
Hi @vishalduttauk,
only one information: do you want to use a timestamp contained in the events or to add a fixed one?
if the timestamp is contained in the event, you have only to configure your timestamp recognition to read the correct timestamp from the events.
Ciao.
Giuseppe
Hi @gcusello
I would like to add the same fixed one for every event within the file which will be uploaded.
Hi @vishalduttauk,
this isn't a usual approach, anyway, you could insert the date you want in the filename, then you could add to your $SPLUNK_HOME/etc/datetime.xml the following raw:
<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>
remembering to rename your file as: mylogs_11-1-2012.log
Ciao.
Giuseppe
Hi @gcusello
I am implementing that to the existing datetime.xml file. Is this what i should add?
</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text>
</define>
Hi @vishalduttauk,
"mylogs_01-10-2022.log" is a fixed string and you should use the field containing the field name, I suppose that your file name will change, so you have to use "source" instead "mylogs_01-10-2022.log".
<define name="_masheddate2" extract="month, day, year">
<text>
<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>
</text>
</define>
It's important that you use this format ("string_dd-mm-yyyy.log") in the filename, otherwise, you have to change the regex.
in the first row you said "month, day, year", instead you have "day, month, year", you have to correct it based on the format you want to use in the file name.
Ciao.
Giuseppe