Getting Data In

How to debug timestamp assignment issues?

Derek
Path Finder

Hi,

I have a log file that when ingested using a one shot, all but 3 of the events get stamped with the correct date/time. The 3 events all have the time in them and get stamped with the correct time but since the date is not in the event end up with a date that is not either the current date or the date of the last modification time of the file.

When reviewing "Precedence rules for timestamp assignment" at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps it would seem like step #5 and #6 should kick in since most likely #4 does not happen because splunk is most likely not going to parse the date out of the source name which is not of a standard format.

How can I debug what is happening?

Thanks!

Tags (2)
0 Karma

Rob
Splunk Employee
Splunk Employee

If you could provide a sample event line for us and what timestamp splunk gives it versus what timestamp it should get then that may help us figure out a way to get the correct timestamp in there.

0 Karma

Derek
Path Finder

That's the weird part. The date that shows up on the events is neither the system time or the last mod time on the file. The events in question do not have any kind of date in them that it finds based on the analysis in the answer below. The only thing is that these records happen consecutively and so the first one gets the correct date given step #3 in the timestamp precedence but the subsequent ones get this random date...

0 Karma

araitz
Splunk Employee
Splunk Employee

You just asked for debugging info. If you want us to help you debug, please provide more details in your original post - what OS, what do the raw events look like, what timestamp does Splunk end up giving them?

0 Karma

Derek
Path Finder

I checked the answer out but my the _time and the analysis of the time positions show that the date isn't in what it's finding. So how can I debug the timestamp assignment precedence as it relates to the date?

0 Karma

Rob
Splunk Employee
Splunk Employee

can you see which date is being used? Is it using the system time?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...