Data is forwarded to Splunk every couple of days meaning that the _time stamp relates to the day it was sent to Splunk. The actual date of the event is listed in the logs as e.g Date="2018-03-29 11:48".
How can I make the time picker search the date of the event (Date) rather than the date (_time) the data was ingested by Splunk?
index=summary report=jiracsatresults Key="**" Assignee="**" Classification="**" | dedup Key | eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M") | eval today = now() | eval daysAgo = round(((today - dateEpoch)/60/60/24), 0) | search daysAgo <= 7 | table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date
The only way I get the results for a specific Date e.g for a week is using
daysAgo <= 7
You need to configure props.conf on the indexer(s) to read the timestamp in the log file and assign it while indexing. If Splunk can't determine a timestamp, it will assign a timestamp of when the event was indexed. Post some sample data and I will help you create that props.conf stanza
Ok perfect thanks. Here is an example raw log.
04/02/2018 09:00:00 +0100, searchname="Support - CSAT Results", searchnow=1522662477.000, infomintime=1522656000.000, infomaxtime=1522662477.000, infosearchtime=1522662477.324, Assignee=testuser, CSAT Rate=5, Classification="Hardware Issues - PC", Date="2018-03-29 11:48", Key="TEST-457", Reporter=testuser, Summary="Laptop Health Checks", report="jiracsatresults"
Add this stanza to your props.conf and restart the splunkd service on the indexers and it will work correctly
[stash] TIME_PREFIX = Date=" TIME_FORMAT = %Y-%m-%d %H:%M MAX_TIMESTAMP_LOOKAHEAD = 18
Thank you but I have just realized that will affect other other logs that actually have the correct date format.
Would it be possible to have two text inputs "Earliest" and "Latest" which a user can enter the number of days for both to select a period of time. Not sure how to actually implement that.
i.e "Earliest" = 40 days ago AND "Latest" = 20 days ago
This is the importance of sourcetypes.. You assign a sourcetype on the "shape" of the data. Since this data format has a different shape, you need to assign it a different sourcetype.
The answer to your question is yes, but the best approach would be to assign it a new sourcetype.
You will need to first convert that date format into epoch time, then specify the earliest and latest