Hi,
I have a field in a file which contains the date which is in dd/mm/yyyy format as follows:
BEGIN_TIME NAME LOC
5/11/2012 abhay kolkata
6/11/2012 murari raniganj
These two data is of 5th and 6th November 2012 , but When I am searching with the BEGIN_TIME field I am not getting these value( I am getting no data , because SPLUNK is considering 11th May and 11th June data )
Please suggest me how to solve this issue , need ur urgent help
Thanks for your help!!
In props.conf you can declare the TIME_FORMAT for this particular source/sourcetype etc..
More info here : http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
Sounds about right. Why not try it with some sample data? That's the easiest way to learn.
I am using following commands :
$SPLUNKHOME/bin/splunk stop
$SPLUNKHOME/bin/splunk clean eventdata -index myindex -f
$SPLUNKHOME/bin/splunk start
after that I am going to create a new index "newmyindex" and rest of the configuration will be the same , will it work if I do like that ?
Please suggest
Right. Well you will need to reindex your data. Just use the info in the link above.
I have read the documents but since I dont have any real time exp, I am not able to connect the real solutions with my problems, when I am getting the ans from you guys then it is clicking in my mind "oh ok ok so this one is the solution for this problem, I have read this before" ...I myself wrote the TIME_FORMAT = %d/%m/%Y line in props.conf and got it done, but again facing same issue for already indexed data
You do know there's a product manual?...I mean sure we're here to help but you'll solve problems so much quicker if you could read up on things instead of asking about every small detail here.
How do I re-index the prior data , please help
You'll need to re index the prior data.
I wrote TIME_FORMAT = %d/%m/%Y in props.conf and it is working fine for the newly imported data, but still facing the same issue for the data which has been already imported, How to get out of that problem , please help, props.conf will help me out for the new data imported but not the data which is already imported
Thanks in advance !!
Please help