Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to change the year in _time?

Macphisto
Loves-to-Learn Lots
‎04-14-2023 07:26 AM

I have a 2015 log that I need to analyze 

I have a 2015 Aruba log I need to analyze.  The log does not have the year, so Splunk inputs the current year (2023).  Is there a way to adjust the year? Here is a sample of my log (IP, MAC, and Name of Devices are XXX out).

 

Mar     14        12:37:13         stm[XXXXXX]:          |AP      XXXXXX        stm|     Auth    request:            XXXX AP       XXX    auth_alg         0                                                                                                                     

Mar     14        12:37:13         stm[XXXXXX]:          |AP      XXXXXX        stm|     Auth    success:            XXXXXX:       AP       XXXXXX                                                                                                                               

Mar     14        12:37:33         stm[XXXXXX]:          |AP      XXXXXX        stm|     Deauth           to         sta:            XXXXXX:       Ageout           AP

Here is what Splunk has

Macphisto_1-1681482164540.png

Thank you.

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-15-2023 09:10 AM

OK. Unless you do some ingest-time magic, splunk assumes that the missing timestamp parts are "current" (with some exceptions; see https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/HowSplunkextractstimestamps for detailed explanation). So as you already ingested your events and they got their timestamp parsed and the events are already indexed you have two (three because one has two variants) options.

1. Delete your already indexed data and ingest it again into a proper time. Which means that you have to either:

1a. use ingest-time evals to "move" them backwards into 2015 or

1b. modify your raw events to include the year in the timestamp

In both cases you might need to configure additional parameters so that Splunk doesn't "ignore" your timestamp because your events are too old. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configuretimestamprecognition#Timestamp_sett...

Or you can

2. Leave the data as it is, just modify the timestamp in search time. For example, similar to @ITWhisperer 's solution or just "move" the time backwards if only the year is wrong (your original example shows some more discrepancies between the _time field and the actual timestamp in the raw event so I'm not sure what is really going on in your tdata):

| eval _time=relative_time(_time,"-8y")

 The first solution will of course incur additional license usage since you have to re-ingest your data, and the second is not very pretty since your data is still indexed in wrong spot in time. And searching for it is unintuitive.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-14-2023 11:59 AM

You should start all the way over and reindex the data with the correct year.  Be sure to modify "MAX_DAYS_HENCE" first.

0 Karma
Reply

Macphisto
Loves-to-Learn Lots
‎04-14-2023 02:03 PM

@woodcock 

Thank you. How do you input the correct year when inputting the log file? I tried looking for that, but I can't find the answer how to do it.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-14-2023 02:31 PM

You get it wherever you can.  In the filenname.  In the directory path.  In the file createtime.  In the file modtime. Somewhere inside of the file.  It has to be somewhere.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2023 08:22 AM

 

| eval _time=strptime("2015 "._raw,"%Y %b %d %H:%M:%S")

 

Reply

Macphisto
Loves-to-Learn Lots
‎04-14-2023 10:46 AM

@ITWhisperer 

Thank you. The year changed, but not correctly.

1s try use using the command provided:

index="XXXX"| eval _time=strptime("2015 "._raw,"%Y%b%d %H:%M:%S")

I get the following. The time is blank.

Macphisto_0-1681493973868.png

2nd try, I  added another eval command. I get this the year as 1969 and the time is off. 

index="01-aruba"| eval _time=strptime("2015"._raw,"%Y%b%d %H:%M:%S")
| eval _time="2015"

 

Macphisto_1-1681494375396.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-14-2023 11:52 AM

You don't appear to have included the same spaces that I had in the format string.

Perhaps you could share your raw event in a code block </> so that formatting is preserved?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...