Splunk Search

problem with the date and timestamp

abhayneilam
Contributor

Hi,

I have a field in a file which contains the date which is in dd/mm/yyyy format as follows:

BEGIN_TIME NAME LOC
5/11/2012 abhay kolkata
6/11/2012 murari raniganj

These two data is of 5th and 6th November 2012 , but When I am searching with the BEGIN_TIME field I am not getting these value( I am getting no data , because SPLUNK is considering 11th May and 11th June data )

Please suggest me how to solve this issue , need ur urgent help

Thanks for your help!!

Tags (4)
0 Karma

Damien_Dallimor
Ultra Champion

In props.conf you can declare the TIME_FORMAT for this particular source/sourcetype etc..

More info here : http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

0 Karma

Ayn
Legend

Sounds about right. Why not try it with some sample data? That's the easiest way to learn.

0 Karma

abhayneilam
Contributor

I am using following commands :

$SPLUNKHOME/bin/splunk stop
$SPLUNKHOME/bin/splunk clean eventdata -index myindex -f
$SPLUNKHOME/bin/splunk start

after that I am going to create a new index "newmyindex" and rest of the configuration will be the same , will it work if I do like that ?

Please suggest

0 Karma

Ayn
Legend

Right. Well you will need to reindex your data. Just use the info in the link above.

0 Karma

abhayneilam
Contributor

I have read the documents but since I dont have any real time exp, I am not able to connect the real solutions with my problems, when I am getting the ans from you guys then it is clicking in my mind "oh ok ok so this one is the solution for this problem, I have read this before" ...I myself wrote the TIME_FORMAT = %d/%m/%Y line in props.conf and got it done, but again facing same issue for already indexed data

0 Karma

Ayn
Legend

You do know there's a product manual?...I mean sure we're here to help but you'll solve problems so much quicker if you could read up on things instead of asking about every small detail here.

0 Karma

smolcj
Builder
0 Karma

abhayneilam
Contributor

How do I re-index the prior data , please help

0 Karma

Damien_Dallimor
Ultra Champion

You'll need to re index the prior data.

0 Karma

abhayneilam
Contributor

I wrote TIME_FORMAT = %d/%m/%Y in props.conf and it is working fine for the newly imported data, but still facing the same issue for the data which has been already imported, How to get out of that problem , please help, props.conf will help me out for the new data imported but not the data which is already imported

Thanks in advance !!

Please help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...