i have log file which sum event show previously time event of when transatin start to end after every transation complet.
So splunk automatically sort log event total base on _time in that some event which show time of 1,2 second back they also automaticaly sorted so i want disable Automatic sort
I want the event show normally sequence which present in log
How i disable date time ?
MY log samlpe:
13:06:30.706|0000536|2|32| |O|Received response from OG
13:06:30.706|1303635|2|32| |O|IsVoid set to [0], VoidSource is [0]
13:06:30.706|1303635|2|32| |O|Creating new reply object to send response
13:06:30.721|0000536|2|32| |O|1|13:06:29.331|1010051221690010175F2F61179807901**********************************50000415031813062282682610(EMV_DATA)104800601320000020000E0B8C803030000000500082641740400000000350001FDD29099
TT: 62 (ms) 13:06:29.378|1221690010175F2F61079807901**********************************500015031813062282682610(EMV_DATA)104800601320000020000E0B8C8
13:06:30.706|122169001017512000AUTH CODE:13974401503(EMV_DATA)00080000100112345678901234512341002GP15077000000AB1
13:06:30.721|
13:06:30.721|0000536|2|32| |O|getLogMsg returned: [229^101005^17^ihost-uatlive^1^2^5^S^12^11^13^0175^231^0^15^D^18^22169001^21^150318^22^130600^24^TtWlS34ZjBo=^25^0^26^00000005000^199^00000005000^29^XTKueLHMJ9pDGvfSQn0xXI6sjf7niXAV^252^0119^181^1^274^1^275^0^45^43^71^00^80^79807901^82^20150318^83^130629^84^ASH001303635^23^139744^30^92^70^476173900^126^1^147^0^148^4^149^0^160^0^16^0^195^2^176^826^40^826^177^^178^22^179^10^188^^180^0^112^19T9oislVJ5BK0JAImpkLAabsxoTy33RPIQ1ZlzXeIqH1jFaPSra1N5vWtTzlP60ImUeKraJJRx+RfdiM19E1ISp1SIjKOtuDuSaTPQNny4dfm+pQZAm9x+mQV2tR3sdyHGbKXMP+WoRXMoXIHMRwyAzdUq8II/YNRm3uXrftmoyo=^112^21104800601320000020000E0B8C8030300000005000826417404000000000000003501^19^3^137^F2F6^151^0^150^0^146^000800^112^20F8140EEF84CFDB033030^112^2200100112345678901234512341002GP15077000000AB1^95^AUTH CODE:139744^196^1^119^5000^94^826^224^1^223^1^254^000000^134^1.7404^33^000000^253^5C413DD4331BA4E6436E2E96FDA471D3^107^^32^0000^]
13:06:30.721|0000536|1|66| |O|Receive return code indicates 358 bytes received
13:06:30.721|0000536|1|66| |O|Detached from socket [127.0.0.1:2050] having received [358] bytes
13:06:30.721|0000536|1|66| |O|Received 356 byte response from Handler
13:06:30.721|0000536|1|66| |O|Closing send socket [127.0.0.1:2050]
if you see first 4 line is normal after that again 3 event of old time after that last 4 line is normal
Hi
we able to disable automatically at a time of indexing
when i select file after when you Set Sourcetype
that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem
Hi
we able to disable automatically at a time of indexing
when i select file after when you Set Sourcetype
that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem
But at time of indexing i use LINE_BREAKER they work correctly but when i add
FIELD_DELIMITER = |
FIELD_NAMES = timee,audit,serviceType,processId,serviceName,indicator,status1,status2,status3,status4,status5,status6
the line break not work
This is probably the DUMBEST thing I have ever told anybody to do but here goes. You cannot "disable sort" the way you desire because sorting by _time is at the core of what Splunk fundamentally does. The only way I can see to do what you are asking is to force all events to have the same identical (bogus) time. You can do this with this datetime.xml file:
<datetime>
<define name="_hardcodedate" extract="litmonth, day, year">
<text>(12)(25)(2014)</text>
</define>
<define name="_hardcodetime" extract="hour, minute, second, subsecond">
<text>(01)(23)(45)(678)</text>
</define>
<timePatterns>
<use name="_hardcodetime"/>
</timePatterns>
<datePatterns>
<use name="_hardcodedate"/>
</datePatterns>
</datetime>
This should cause all events to go into the tsidx in the order that they are processed, because each has the same timestamp. It would probably be best if you somehow managed to set the date to a date that moves, rather than hard-coding it (maybe get it from the filename) so that your events appear near-now without having to update your hard-coded day/month values in the datetime.xml.
i give a solution of this problem please see answer 3
But at time of indexing i use LINE_BREAKER they work correctly but when i add
FIELD_DELIMITER = |
FIELD_NAMES = timee,audit,serviceType,processId,serviceName,indicator,status1,status2,status3,status4,status5,status6
the line break not work?
If I am understanding you correctly, you would like to be able to use Splunk to show a reconstituted view of the original file. If so, this should work:
| sort 0 - _indextime | stats list(_raw) by source
now i able to see raw data but i not able to do any operation like show fields in table, they also sorted order and only top 1000 field they show after that remaining blank.
i want disable automatically time sort after that i do my won operation on that
if you want log file then mail me nitesh.hadoop@gmail.com
i use
[other]
disabled = true
in file C:\Program Files\Splunk\etc\system\default\times.conf
but they also not work
Hi,
Does sorting on _indextime can help you?
Thanks!!
No they also not work i want Auto time sorting desable but i not able to found how i do?
Whats the objective of removing timestamp? If you don't need that in report, just use xxx | fields - _time
i use fields - _time this but they remove field _time but automatic sort base on time not disable result come in time sort order after that also