Why are today's events showing as yesterday for ce...

cmamer · ‎04-29-2015

I have a forwarder configured to pull data from a local server as a generic single line sourcetype.
The events in the logfile only show the time, not the date.
There are timestamp lines in the logfile that indicate the date sporadically, but there hasn't been one put in the logfile yet.

I just started up a new index, and for the first few events it shows the correct date, but then it switches to yesterday's date.

How can I correct the times of these events?

cmamer · ‎07-28-2015

The date format wasn't being read properly so I've changed the settings so that the time value is the time of indexing.

woodcock · ‎04-29-2015

If I understand you correctly, the input file will have a DATE and then a bunch of events with TIMES (only) and then, when the date changes, another line with a DATE and then more events (with TIMES only). There may be a way to do this by taking over complete control of assigning the date using datetime.xml but I cannot think of a way if, as I have inferred, files contain more than 1 date.

I would pre-process the file in 1 of 2 ways:
BEST: Split the file into multiple files, each containing only events for a single date and put the date into the filename. Then use datetime.xml to extract the DATE from the filename and the TIME from the event.
WORSE: Put the date inside the file into each event. This is easier but wastes a ton of space and some processing power.

Why are today's events showing as yesterday for certain events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life