Splunk Search

What time should be when searching old logs?

dujas
Explorer

dujas_1-1676472668808.png

I am using Splunk searching old log files and the _time is different from log time, would this make sense or do I have to parse the log to set  _time to log time?

Thanks.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

yes, usually the event timestamp (_time) is the same of the event.

You have to better parse your logs to have as timestamp, the event timestamp.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

yes, usually the event timestamp (_time) is the same of the event.

You have to better parse your logs to have as timestamp, the event timestamp.

Ciao.

Giuseppe

0 Karma

dujas
Explorer

Thanks @gcusello , I have parsed the log line and made it work.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...