Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timestamp issue

indeed_2000
Motivator
‎03-10-2020 09:45 PM

Hi
I have issue with timestamp, here is the problem:
every day at "1 AM" all log files copy into the logserver. this logs belong to the yesterday but splunk consider today date (import date) as timestamp!

1-as you see in screenshot logfile name is 20200310.bz2 but timestamp is 3/11/20 (log belong yesterday but import today).
2-as you see in screenshot every line start with time not date and I can't use timestamp of events.

now question is how can I handle this with splunk?

Thanks,
alt text

Preview file
83 KB
0 Karma
Reply

anmolpatel
Builder
‎03-10-2020 09:59 PM

"Archive files (such as a .tar or .zip file, are decompressed before being indexed."
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories#How_Splunk_Enter...

So it is reading the timestamp of the recorded event and not the timestamp of the source file.

If you would like to extract the timestamp when the bz2 file is created, use this splunk answer:
https://answers.splunk.com/answers/705686/how-do-you-extract-a-timestamp-from-a-filename.html

Unless you've a specific use case where the timestamp of the source file is needed, would recommend, using the event time, because all your events will be occurring at 1am. With millions of record to search through, it will quickly turn into a pain point.

0 Karma
Reply

indeed_2000
Motivator
‎03-10-2020 10:18 PM

1-bz2 file create next day so not resolve issue if we consider create date of file.
2-this log file only store time of event not date (application create a log file each day, and file name is today date and every line of log file start with time.)

e.g.
file name = 20200311
01:00:00 info logmessage
02:00:00 info logmessage
03:00:00 info logmessage
...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...