Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype started indexing to wrong date - MDY to YMD

drcheeves
New Member
‎08-08-2013 06:56 AM

Hi All,

I recently started having an issue with a few of my sourcetypes where they are logging to the wrong date. These sourcetypes were working fine for the last year and I have not found any changes that have been made.

The file being indexed is named like - /oltp080813.log as in Aug, 8th 2013. No date value is in the file being indexed.

An example of one of the events is:
FINER | 07:56:37.929 | 1375966597928 | [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'

Splunk is correctly identifying the time values which I verified with timestartpos and timeendpos. The date however is now being parsed as Aug, 13th 2008 rather than Aug, 8th 2013. This started on 08/02/2013 (which was indexed as 02/13/08).

What I believe is happening is that starting right after 08/01/2013 @ 23:59:59 (last properly indexed event) splunk started interpreting my filename of oltp080813 to be a YMD date format rather than a MDY format. I have no idea why this just started happening and I have not been able to find anything in the splunk documentation that specifically outlines how I can modify my sourcetype(s) to use a different date format when pulling the date info from the file name.

I am open to other solutions as well but I have many sourcetypes on this server that are still working so I am hesitant to set any global parameters.

I have seen it suggested elsewhere that you can specifically tell splunk in props.conf to use the current date/time for a given sourcetype using DATETIME_CONFIG = CURRENT. As a last resort I could do this but I would rather continue to use the time value that exists in the files I am indexing as those are still being indexed correctly.

I have also read through the precedent docs here: http://splunk-base.splunk.com/answers/24275/how-does-splunk-get-date-from-file

  1. If no events in a source have a time or date, look in the source (or file) name.
  2. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

The problem I am having is that the date IS identified in the file (just incorrectly as YMD rather than MDY) therefore the modification date of the file won't be used.

I am currently running v4.3.5 build 140437 of Splunk and am using heavy forwarders to forward to the indexer.

In addition to any potential solutions I would be grateful for anybody's thoughts as to how or why this just started happening all of the sudden.

Thanks!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-08-2013 07:22 AM

Define your sourcetype in props.conf (on the indexers and heavy forwarders if any).
And specify the parameter TIME_FORMAT with the correct parsing.

0 Karma
Reply

drcheeves
New Member
‎08-08-2013 08:51 AM

I don't follow what you are suggesting. Splunk is getting my DATE from the file name and TIME from the contents of the file. Are you saying that if I specify timeformat %m%d%y for my sourcetype that splunk will then interpret the filename of 080113.log as Aug, 1st 2013 rather than what it is currently doing which is interpreting 080113 as Jan, 13th 2008?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...