I have searched splunk answers and seen various people commenting on timestamp formats, but I can't find exactly what I'm seeing, so I thought I'd ask the question.
I am trying to create a new file input based on a txt file that gets updated with a timestamped event.
When I preview the file, it highlights the timestamp in my data with a green highlight, which I presume shows me that it has identified the time/date.
I'm in the UK so my data is DD/MM: 01/06/2015 13:58:47
However, on the right hand side of the preview screen where it shows the "event time distribution" as a small graph, the format is MM/DD.
Why is it changing this?
What is more bizarre is that I set up these file inputs last month and they were working fine. Date format was dd/mm etc and I had no problems. But when we ticked over to the 1st of June, literally at midnight. The inputs stopped working.
I don't know of any change to our environment that would cause this. We haven't updated splunk in any way recently. The files are being updated in the same way every 5 minutes, and the raw data in the files is still correct and hasn't changed.
Also, it isn't browser locale related. I am using the same url I always use. I can use it with or without en-gb in the url, and the same happens with these file inputs.
I know this is going to be very hard to provide a solution, but I've checked everything I can think of so I'm just looking for any ideas that I have possibly overlooked.
We are using splunk 6.0.2 Splunk Build196940
... View more
Just to finish off what I have ended up doing. Our splunk environment is windows based not linux.
so I created this script which is batch file that runs every 5 mins as a windows scheduled task. This runs on the splunk server. but i use a network path in the batch file so i can count remote directories.
for %%o IN ("\\network\folder\location\*.*") DO (
SET /A count=count + 1
net time \\%computername% |find "Current time" >> c:\count\countfiles.txt
echo dataareaid=UK >> c:\count\countfiles.txt
echo currentcount=%count% >> c:\count\countfiles.txt
this outputs the timestamp (net time) and the count result to the txt file (countfiles.txt). i use the double arrow >> to append the results each time it runs.
I then created a new data input > file input in splunk that index's this countfiles.txt file.
Splunk automatically picked up the timestamp and created the correct event rows for me.
because i put "currentcount=" in the batch file, splunk identifies that as a custom field so i can search on it.
When creating the input i created a new sourcetype called "filecount".
I monitor different directories each with a different batch file and resulting counttxt file. I have setup a file input for each of these in splunk and assigned them all this new sourcetype. This way i can search using "sourcetype="filecount" and it returns all my file count results which i plot on a single chart. In our case each directory relates to a different country.
the full search i use is:
sourcetype="filecount" | timechart max(currentcount) by dataareaid span=5m
this gives me exactly what i needed, a running count over time showing the maximum file count.
We have functions that process these files and move them on. If that function fails the files arent moved and the count rises as the files stay in the folders. This is shown perfectly on our splunk chart as a rising count line and alerts us to any issues with this process.
The same could be used for anyone with an ftp server, processing incoming files.
hope that helps anyone wanting to do a similar thing.
... View more