Splunk Search

Log file not have any date field but splunk auto give different different date to event i need remove date in _time field?

nitesh218ss
Communicator

Hi
I have log file which create every 1 hr so they not have date field but splunk Automatically provide different date to every event
So when i use time search betwwen some specific time. The search fail due to different date auto provide by splunk.
I need to give one date to every event or remove date field so i able to search particular time.

My log file demo:
07:33:41.571|0071540|1|49| |O|Created send socket [447.0.0.1:1618]
07:33:41.571|0071540|1|49| |O|Sending 319 byte request to Handler

Please give any solution

0 Karma
1 Solution

woodcock
Esteemed Legend

You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:

TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S

This should make events that have the same time to have the same timestamp, which I believe is what you would like. Splunk may not like that this does not specify a date. Is the date encoded in the log filename? If so, we can use datetime.xml to access it.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need to tell Splunk to use the date in the events to timestamp the events like this in props.conf:

TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S

This should make events that have the same time to have the same timestamp, which I believe is what you would like. Splunk may not like that this does not specify a date. Is the date encoded in the log filename? If so, we can use datetime.xml to access it.

0 Karma

nitesh218ss
Communicator

hi sir,
I use
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S.%3N but first time they show current date but after some time date
again differ
i try use TIME_PREFIX=2015-05-09
but when search they show date 2015-05-011
means they not work any other way to set date

0 Karma

woodcock
Esteemed Legend

TIME_PREFIX does not tell Splunk to add this prefix to your timestamp in each event, it is a REGEX applied to the event to tell Splunk where to have the parser begin looking for the timestamp inside each event.

0 Karma

nitesh218ss
Communicator

but inside event date field not present only time field present
.so i want declarer my own date at a time of indexing or time searching but i don't now how i do this?

0 Karma

woodcock
Esteemed Legend

Test what I gave you and see what Splunk does when you let it figure out the date without you telling Splunk where to find it. If you don't like what Splunk does by default, then use datetime.xml to hardcode something or pull the date from somewhere else (filename, modtime, etc.).

0 Karma

nitesh218ss
Communicator

But if i change in datetime.xml then they effect other log also so what i do for single log?

0 Karma

woodcock
Esteemed Legend

You do not have to use the global datetime.xml; create one inside your app that you reference directly that has only your configuration.

0 Karma

nitesh218ss
Communicator

i create folder with date so now i try to set date but i try with datetime.xml but fail

 C:\Users\T_NiteshS1\Documents\My Received Files\20150511\log2.log

If you see before log2.log you get folder 20150511 This is date
if you expend 20150511 this yyyymmdd

i try in xml is

<define name="_masheddate2" extract="month, day, year">
    <text><![CDATA[(?:^|C:\Program Files\Splunk\etc\apps\search::).*?(20\d{2})(\d{2})(\d{2})]]></text>
</define>
0 Karma

woodcock
Esteemed Legend

Try this for your datetime.xml (hopefully markdown will not mangle the text):
<datetime>
<define name="_dateFromDirectorySegment" extract="year, month, day">
<text><![CDATA[source::.*?\(\d{4})(\d{2})(\d{2})\]]></text>
</define>
<define name="_timeFromEventData" extract="hour, minute, second, subsecond">
<text><![CDATA[^(\d{2}):(\d{2}:(\d{2}.(\d{3}]]></text>
</define>
<timePatterns>
<use name="_timeFromEventData"/>
</timePatterns>
<datePatterns>
<use name="_dateFromDirectorySegment"/>
</datePatterns>
</datetime>

0 Karma

nitesh218ss
Communicator

ya i create new datetime
but today i try with file path at place of source in satetime.xml
i try this in office tomorrow

0 Karma

nitesh218ss
Communicator

thanks sir

0 Karma

woodcock
Esteemed Legend

Do note that markdown removed all the backslashes from in from of my "(d{2})" an "(d{4})" strings, so you will have to put them back.

0 Karma

srinathd
Contributor

you can use _indextime in the search query to retrieve

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is the search that is failing?

---
If this reply helps you, Karma would be appreciated.
0 Karma

nitesh218ss
Communicator

when i select time like 7:10:00.000 to 7:30:00.000 then they not show result because the date part in not same date which auto provided by splunk

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...