I'm tasked with consuming a log file with year-less timestamps ranging back to September 20th 2015. The strptime format is %b %d %H:%M:%S.%3N and the timestamps are always at the beginning of the event, however I can't figure out how to ingest the data in a way that doesn't assign it all to exist either in 2018 or 2017.
After reading on how timestamp assignment works and how Splunk determines timestamps with no year, I can't find anything that addresses my particular scenario.
As soon as I apply the strptime format, all data is bucketed in 2017/2018, even though the events in the log file are contiguous asides for having gaps of several days between events.
Can someone point me to something that gives me some guidance? I've played with MAX_DAYS_AGO but that doesn't appear to help in this particular situation. As best as I can describe, I need the Splunk ingestion engine to 'wrap' backwards from the most-recent event in the logfile (June 17th 2018) backwards, handling lack of events over large groups of days, back to 2017, then 2016, then finally 2015 where the first events exist.
The log file is 6.4 MB and has 22927 lines. I did the date math trying to figure out MAX_DAYS_AGO and September 20th 2015 should only be 1010 (days ago) by the time of this writing...
Am I missing something hiding in plain site, or is this an issue I need to overcome by modifying the log file to inject dates? This isn't ideal and may not be possible in production, so I'm trying to find a way through it, if I can.
Thanks in advance for everyone's help!
(edited for clarity)
... View more