Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to debug timestamp assignment issues?

Derek
Path Finder
‎01-13-2011 05:00 PM

Hi,

I have a log file that when ingested using a one shot, all but 3 of the events get stamped with the correct date/time. The 3 events all have the time in them and get stamped with the correct time but since the date is not in the event end up with a date that is not either the current date or the date of the last modification time of the file.

When reviewing "Precedence rules for timestamp assignment" at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps it would seem like step #5 and #6 should kick in since most likely #4 does not happen because splunk is most likely not going to parse the date out of the source name which is not of a standard format.

How can I debug what is happening?

Thanks!

Tags (2)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎01-14-2011 11:22 AM

If you could provide a sample event line for us and what timestamp splunk gives it versus what timestamp it should get then that may help us figure out a way to get the correct timestamp in there.

0 Karma
Reply

Derek
Path Finder
‎01-13-2011 08:29 PM

That's the weird part. The date that shows up on the events is neither the system time or the last mod time on the file. The events in question do not have any kind of date in them that it finds based on the analysis in the answer below. The only thing is that these records happen consecutively and so the first one gets the correct date given step #3 in the timestamp precedence but the subsequent ones get this random date...

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-13-2011 09:04 PM

You just asked for debugging info. If you want us to help you debug, please provide more details in your original post - what OS, what do the raw events look like, what timestamp does Splunk end up giving them?

0 Karma
Reply

Derek
Path Finder
‎01-13-2011 08:25 PM

I checked the answer out but my the _time and the analysis of the time positions show that the date isn't in what it's finding. So how can I debug the timestamp assignment precedence as it relates to the date?

0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎01-13-2011 05:27 PM

can you see which date is being used? Is it using the system time?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...