Solved: Is it possible to log the local time on the incomi...

ranjyotiprakash · ‎06-25-2012

Is it possible to log the local time on the incoming logs ?

If the log's time is different those logs are missed out in the charts and I want to log the local time on to the logs. So, that whatever be the timezone or time on the logs it should show with the local time.

Thanks !!

Ayn · ‎06-25-2012

You can define what timezone logs are in, using the TZ directive in props.conf. More information here: http://docs.splunk.com/Documentation/Splunk/5.0/data/Applytimezoneoffsetstotimestamps

If you don't want to set that up but just want to be able to search on when the logs were actually indexed, you can use the _indextime field that has this information. You could assign _time to _indextime to temporarily 'pretend' that it's the index time that constitutes the timestamp:

... | eval _time=_indextime | ...

Or you could do other stuff with the _indextime field as you see fit. Note that this field is normally hidden due to its internal nature, so for instance doing | table _indextime will not show anything. Using eval you can make it visible.

... | eval indextime=_indextime | table indextime

View solution in original post

Ayn · ‎06-25-2012

You can define what timezone logs are in, using the TZ directive in props.conf. More information here: http://docs.splunk.com/Documentation/Splunk/5.0/data/Applytimezoneoffsetstotimestamps

If you don't want to set that up but just want to be able to search on when the logs were actually indexed, you can use the _indextime field that has this information. You could assign _time to _indextime to temporarily 'pretend' that it's the index time that constitutes the timestamp:

... | eval _time=_indextime | ...

Or you could do other stuff with the _indextime field as you see fit. Note that this field is normally hidden due to its internal nature, so for instance doing | table _indextime will not show anything. Using eval you can make it visible.

... | eval indextime=_indextime | table indextime

ranjyotiprakash · ‎06-27-2012

Thanks Ayn.. I will open up a new question ..

Ayn · ‎06-27-2012

Possibly, I don't know right now. Either way that's not part of this question, so please open up a new question if you want help with that.

ranjyotiprakash · ‎06-27-2012

one more question AYN..
when we get data over UDP, in that case "no_appending_timestamp = false" appends timestamp and host to the incoming logs.
Is there any attribute, which appends the timestamp & hosts to incoming logs, when we get data over TCP.

Ayn · ‎06-27-2012

Yes, that's correct.

ranjyotiprakash · ‎06-27-2012

In that case,I need to define the TZ directive in props.conf ??

Ayn · ‎06-27-2012

...but I suspect you meant that last part as a question?

The thing with setting _time to _indextime in your search is it happens AFTER the events have been extracted from the index. So if you search for events from the last 15 minutes, Splunk will first grab the events that have the ORIGINAL timestamp, before handing it over to the rest of the search pipeline. So even if you set _time to something else after that, the events you will get first of all are the ones that match on the initial timestamp.

Ayn · ‎06-27-2012

You're welcome.

ranjyotiprakash · ‎06-27-2012

Thanks for the answer Ayn !!
I have used "eval_time=_indextime" in savedsearches.conf of my app.

search = sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)| eval _time=_indextime| timechart sum(bandwidth)

It is working in case real time searches on my dashboard. But, when I am selecting last 15 minutes, or last 60 minutes etc. the chart is not showing any data.
Thanks..

Is it possible to log the local time on the incoming logs ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!