- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why would Search return results from old logfi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would Search return results from old logfiles when newer ones exist.
I want to search all the logs for my Device, they're txt files and the directory structure is like this: c:\program files\device\device manager\logs\YYYYMMDD.txt
My query looks something like this
(source="C:\\Program Files\\Device\\DeviceManager\\Logs\\*.txt") ...stuff to search for... |
I want the most up to date information, but I'm only getting results from 5 days ago. The logfiles get updated daily. If I open up the logfile myself, I can see things that happened as recently as 1 hour ago.
It seems like using the wildcard would leave the query wide open to look through any (txt) logfile it finds in the directory, but this doesn't seem to be happening, otherwise I'd be getting more recent events.
Does anybody know why this could be happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're searching for the specific source file for a recent event, and you're not finding results unless you search back 5 days or so, I would look at your timestamp parsing either index time or search time. If splunk has caught up and already indexed the new files, it's possible it's parsing the timestamp as something you're not expecting. Is the time in the log file a standard format at the beginning of the line?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, here's what the timestamp looks like in the logfile. I think it's pretty standard.
2015-12-08 00:00:02.958449
Where can I find out more about timestamp parsing? Is there a configuration setting somewhere? FWIW, i'm running two different installations of Splunk on 2 separate systems running Windows. One is parsing the most recent log files, but the other one is not and is causing me consternation. I'm wondering if the systems are configured differently, and that's why I'm getting differing outcomes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a lot you can do to customize the timestamp parsing in props.conf
You can limit how far into the log Splunk looks, configure the timezone, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took a closer look at props.conf and I didn't see anything that would tell me the time stamps aren't getting parsed.
I have realized that this problem is related to a problem I posted about a few days ago, with the indexer not getting updated. I temporarily fixed it by importing the log file again, but I can't do that everyday. At some point, Splunk will have to start ingesting on its own, without any prodding from me.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
