I want to search all the logs for my
Device, they're txt files and the directory structure is like this:
c:\program files\device\device manager\logs\YYYYMMDD.txt
My query looks something like this
(source="C:\\Program Files\\Device\\DeviceManager\\Logs\\*.txt") ...stuff to search for... |
I want the most up to date information, but I'm only getting results from 5 days ago. The logfiles get updated daily. If I open up the logfile myself, I can see things that happened as recently as 1 hour ago.
It seems like using the wildcard would leave the query wide open to look through any (txt) logfile it finds in the directory, but this doesn't seem to be happening, otherwise I'd be getting more recent events.
Does anybody know why this could be happening?
If you're searching for the specific source file for a recent event, and you're not finding results unless you search back 5 days or so, I would look at your timestamp parsing either index time or search time. If splunk has caught up and already indexed the new files, it's possible it's parsing the timestamp as something you're not expecting. Is the time in the log file a standard format at the beginning of the line?
Yes, here's what the timestamp looks like in the logfile. I think it's pretty standard.
Where can I find out more about
timestamp parsing? Is there a configuration setting somewhere? FWIW, i'm running two different installations of Splunk on 2 separate systems running Windows. One is parsing the most recent log files, but the other one is not and is causing me consternation. I'm wondering if the systems are configured differently, and that's why I'm getting differing outcomes.
There's a lot you can do to customize the timestamp parsing in props.conf
You can limit how far into the log Splunk looks, configure the timezone, etc.
I took a closer look at props.conf and I didn't see anything that would tell me the time stamps aren't getting parsed.
I have realized that this problem is related to a problem I posted about a few days ago, with the indexer not getting updated. I temporarily fixed it by importing the log file again, but I can't do that everyday. At some point, Splunk will have to start ingesting on its own, without any prodding from me.