Hi
 I have log file which create every 1 hr so they not have date field but splunk Automatically provide different date to every event
So when i use time search betwwen some specific time. The search fail due to different date auto provide by splunk.
I need to give one date to every event or remove date field so i able to search particular time.
My log file demo:
07:33:41.571|0071540|1|49| |O|Created send socket [447.0.0.1:1618]
07:33:41.571|0071540|1|49| |O|Sending 319 byte request to Handler
Please give any solution
 
					
				
		
You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S
This should make events that have the same time to have the same timestamp, which I believe is what you would like.  Splunk may not like that this does not specify a date.   Is the date encoded in the log filename?  If so, we can use datetime.xml to access it.
 
					
				
		
You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S
This should make events that have the same time to have the same timestamp, which I believe is what you would like.  Splunk may not like that this does not specify a date.   Is the date encoded in the log filename?  If so, we can use datetime.xml to access it.
hi sir,
I use 
TIME_PREFIX=^
 TIME_FORMAT=%H:%M:%S.%3N but first time they show current date but after some time date
again differ 
i try use TIME_PREFIX=2015-05-09
but when search they show date 2015-05-011
means they not work any other way to set date
 
					
				
		
TIME_PREFIX does not tell Splunk to add this prefix to your timestamp in each event, it is a REGEX applied to the event to tell Splunk where to have the parser begin looking for the timestamp inside each event.
but inside event date field not present  only time field present
.so i want declarer my own date at a time of indexing or time searching but i don't now how i do this?
 
					
				
		
Test what I gave you and see what Splunk does when you let it figure out the date without you telling Splunk where to find it.  If you don't like what Splunk does by default, then use datetime.xml to hardcode something or pull the date from somewhere else (filename, modtime, etc.).
But if i change in datetime.xml then they effect other log also so what i do for single log?
 
					
				
		
You do not have to use the global datetime.xml; create one inside your app that you reference directly that has only your configuration.
i create folder with date so now i try to set date but i try with datetime.xml but fail
 C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log
If you see before log2.log you get folder 20150511 This is date
if you expend 20150511 this yyyymmdd
i try in xml is
<define name="_masheddate2" extract="month, day, year">
    <text><![CDATA[(?:^|C:\Program Files\Splunk\etc\apps\search::).*?(20\d{2})(\d{2})(\d{2})]]></text>
</define>
 
					
				
		
Try this for your datetime.xml (hopefully markdown will not mangle the text):
<datetime>
<define name="_dateFromDirectorySegment" extract="year, month, day">
   <text><![CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]]></text>
</define>
<define name="_timeFromEventData" extract="hour, minute, second, subsecond">
   <text><![CDATA[^(\d{2}):(\d{2}:(\d{2}.(\d{3}]]></text>
</define>
<timePatterns>
   <use name="_timeFromEventData"/>
</timePatterns>
<datePatterns>
   <use name="_dateFromDirectorySegment"/>
</datePatterns>
</datetime>
ya i create new datetime
but today i try with file path at place of source in satetime.xml
i try this in office tomorrow 
thanks sir
 
					
				
		
Do note that markdown removed all the backslashes from in from of my "(d{2})" an "(d{4})" strings, so you will have to put them back.
you can use _indextime in the search query to retrieve
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		What is the search that is failing?
when i select time like 7:10:00.000 to 7:30:00.000 then they not show result because the date part in not same date which auto provided by splunk
