How to change timestamp value on old data in an in...

vishalduttauk · ‎11-07-2022

Hi there,

I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?

gcusello · ‎11-07-2022

Hi @vishalduttauk,

indexed events cannot be modified, the only way is do delete them and reindiex with the correct timestamp.

Rememeber that devent deletion is only logical, not physical.

Ciao.

Giuseppe

vishalduttauk · ‎11-07-2022

Thanks @gcusello

I will do that. I can't rely on the created date of the file which i will re-upload? How can i specify the the timestamp as I have older data which needs to be uploaded.

The method is to use the add data functionality and to upload the txt file to the specified index.

gcusello · ‎11-07-2022

Hi @vishalduttauk,

only one information: do you want to use a timestamp contained in the events or to add a fixed one?

if the timestamp is contained in the event, you have only to configure your timestamp recognition to read the correct timestamp from the events.

Ciao.

Giuseppe

vishalduttauk · ‎11-07-2022

Hi @gcusello

I would like to add the same fixed one for every event within the file which will be uploaded.

gcusello · ‎11-07-2022

Hi @vishalduttauk,

this isn't a usual approach, anyway, you could insert the date you want in the filename, then you could add to your $SPLUNK_HOME/etc/datetime.xml the following raw:

<![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>

remembering to rename your file as: mylogs_11-1-2012.log

Ciao.

Giuseppe

vishalduttauk · ‎11-09-2022

Hi @gcusello

I am implementing that to the existing datetime.xml file. Is this what i should add?

</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|mylogs_01-10-2022.log::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]></text>
</define>

gcusello · ‎11-09-2022

Hi @vishalduttauk,

"mylogs_01-10-2022.log" is a fixed string and you should use the field containing the field name, I suppose that your file name will change, so you have to use "source" instead "mylogs_01-10-2022.log".

<define name="_masheddate2" extract="month, day, year">
   <text>
      <![CDATA[(?:^|source::).*?_(0?[1-9]|1[012])-(0?[1-9]|[12]\d|3[01])-(20\d\d|19\d\d|[901]\d(?!\d))\.log]]>
   </text>
</define>

It's important that you use this format ("string_dd-mm-yyyy.log") in the filename, otherwise, you have to change the regex.

in the first row you said "month, day, year", instead you have "day, month, year", you have to correct it based on the format you want to use in the file name.

Ciao.

Giuseppe

How to change timestamp value on old data in an index?

fields

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to change timestamp value on old data in an index?

fields

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25