Solved: Log file not have any date field but splunk auto...

nitesh218ss · ‎05-07-2015

Hi
I have log file which create every 1 hr so they not have date field but splunk Automatically provide different date to every event
So when i use time search betwwen some specific time. The search fail due to different date auto provide by splunk.
I need to give one date to every event or remove date field so i able to search particular time.

My log file demo:
07:33:41.571|0071540|1|49| |O|Created send socket [447.0.0.1:1618]
07:33:41.571|0071540|1|49| |O|Sending 319 byte request to Handler

Please give any solution

woodcock · ‎05-07-2015

You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:

TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S

This should make events that have the same time to have the same timestamp, which I believe is what you would like. Splunk may not like that this does not specify a date. Is the date encoded in the log filename? If so, we can use datetime.xml to access it.

View solution in original post

woodcock · ‎05-07-2015

You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:

TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S

This should make events that have the same time to have the same timestamp, which I believe is what you would like. Splunk may not like that this does not specify a date. Is the date encoded in the log filename? If so, we can use datetime.xml to access it.

nitesh218ss · ‎05-11-2015

hi sir,
I use
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S.%3N but first time they show current date but after some time date
again differ
i try use TIME_PREFIX=2015-05-09
but when search they show date 2015-05-011
means they not work any other way to set date

woodcock · ‎05-11-2015

TIME_PREFIX does not tell Splunk to add this prefix to your timestamp in each event, it is a REGEX applied to the event to tell Splunk where to have the parser begin looking for the timestamp inside each event.

nitesh218ss · ‎05-11-2015

but inside event date field not present only time field present
.so i want declarer my own date at a time of indexing or time searching but i don't now how i do this?

woodcock · ‎05-11-2015

Test what I gave you and see what Splunk does when you let it figure out the date without you telling Splunk where to find it. If you don't like what Splunk does by default, then use datetime.xml to hardcode something or pull the date from somewhere else (filename, modtime, etc.).

nitesh218ss · ‎05-11-2015

But if i change in datetime.xml then they effect other log also so what i do for single log?

woodcock · ‎05-12-2015

You do not have to use the global datetime.xml; create one inside your app that you reference directly that has only your configuration.

nitesh218ss · ‎05-12-2015

i create folder with date so now i try to set date but i try with datetime.xml but fail

 C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log

If you see before log2.log you get folder 20150511 This is date
if you expend 20150511 this yyyymmdd

i try in xml is

&lt;define name="_masheddate2" extract="month, day, year"&gt;
    &lt;text&gt;&lt;![CDATA[(?:^|C:\Program Files\Splunk\etc\apps\search::).*?(20\d{2})(\d{2})(\d{2})]]&gt;&lt;/text&gt;
&lt;/define&gt;

woodcock · ‎05-12-2015

Try this for your datetime.xml (hopefully markdown will not mangle the text):
<datetime>
<define name="_dateFromDirectorySegment" extract="year, month, day">
<text><![CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]]></text>
</define>
<define name="_timeFromEventData" extract="hour, minute, second, subsecond">
<text><![CDATA[^(\d{2}):(\d{2}:(\d{2}.(\d{3}]]></text>
</define>
<timePatterns>
<use name="_timeFromEventData"/>
</timePatterns>
<datePatterns>
<use name="_dateFromDirectorySegment"/>
</datePatterns>
</datetime>

nitesh218ss · ‎05-12-2015

ya i create new datetime
but today i try with file path at place of source in satetime.xml
i try this in office tomorrow

nitesh218ss · ‎05-12-2015

thanks sir

woodcock · ‎05-12-2015

Do note that markdown removed all the backslashes from in from of my "(d{2})" an "(d{4})" strings, so you will have to put them back.

srinathd · ‎05-07-2015

you can use _indextime in the search query to retrieve

richgalloway · ‎05-07-2015

What is the search that is failing?

---
If this reply helps you, Karma would be appreciated.

nitesh218ss · ‎05-07-2015

when i select time like 7:10:00.000 to 7:30:00.000 then they not show result because the date part in not same date which auto provided by splunk

Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...