Getting Data In

Timestamp extraction - Selecting 2013 instead of 2007

satishsdange
Builder

I am trying to extract timestamp. But instead of 2007, Splunk is extracting 2013 which is not at all in my event. Could someone please advise me how to fix this problem?

<38>Dec 14 06:24:30 10.2.1.30 SAFEART: Auditnumber="FFFE02F1677334EBBD36",TimeReported="2007/12/14 06:19:29",TimeReceived="2007/12/14

Props.conf

[xxx_logs]
TIME_PREFIX = TimeReported=
TIME_FORMAT = %Y/%m/%d %H:%M:%S
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)<\d{2}>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

Tags (2)
0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

Here's what's missing from your settings: MAX_DAYS_AGO=4000

If you check out the spec for props.conf you'll see this setting and the explanation:

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**

Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.

You also want to change TIME_PREFIX = Time Reported= to TIME_PREFIX = Time Reported="

If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Here's what's missing from your settings: MAX_DAYS_AGO=4000

If you check out the spec for props.conf you'll see this setting and the explanation:

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**

Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.

You also want to change TIME_PREFIX = Time Reported= to TIME_PREFIX = Time Reported="

If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...