Hi,
I have a log file that when ingested using a one shot, all but 3 of the events get stamped with the correct date/time. The 3 events all have the time in them and get stamped with the correct time but since the date is not in the event end up with a date that is not either the current date or the date of the last modification time of the file.
When reviewing "Precedence rules for timestamp assignment" at http://www.splunk.com/base/Documentation/latest/Admin/HowSplunkextractstimestamps it would seem like step #5 and #6 should kick in since most likely #4 does not happen because splunk is most likely not going to parse the date out of the source name which is not of a standard format.
How can I debug what is happening?
Thanks!
If you could provide a sample event line for us and what timestamp splunk gives it versus what timestamp it should get then that may help us figure out a way to get the correct timestamp in there.
That's the weird part. The date that shows up on the events is neither the system time or the last mod time on the file. The events in question do not have any kind of date in them that it finds based on the analysis in the answer below. The only thing is that these records happen consecutively and so the first one gets the correct date given step #3 in the timestamp precedence but the subsequent ones get this random date...
You just asked for debugging info. If you want us to help you debug, please provide more details in your original post - what OS, what do the raw events look like, what timestamp does Splunk end up giving them?
I checked the answer out but my the _time and the analysis of the time positions show that the date isn't in what it's finding. So how can I debug the timestamp assignment precedence as it relates to the date?
can you see which date is being used? Is it using the system time?