Solved: Add date to the timestamp of an event

oscargarcia · ‎04-29-2011

I have some events, that are indexed with strange dates...

17:56:58,442: htsxml2|c6d1956a-d611-47a5-97df-df0d31e1dbc7|32885|790667|483520|1|B|default|OK|65|3391
17:56:56,546: htsxml2|86bbb572-360d-4c12-8a18-0bd08ce0d7c0|17116|108051|130889|110|B|default|ERROR|-1|-1

Is there a way I can force the date to apply to the events contained in an specific file?

carasso · ‎04-29-2011

If you use a filename that has a date in it, that date will be used (if there are no timestamps on your events).

For example, if you rename "dispo.log.P" to "dispo.20101020.log.P" those events should be indexed as occurring on Oct 20, 2010.

View solution in original post

woodcock · ‎05-02-2015

As a supplement to both answers provided, the method to accomplish either is to use datetime.xml. In the former, you can setup 3 different rules to use, in the latter, you can tell Splunk to get the date from the filename and the time from the event.

sideview · ‎05-16-2011

Hmm. Rather than trying one really complex regex with lots of logic in it, did you try having 3 dead-simple regexes, with appropriate literals in it to match on like |B| vs |P| ? Sourcetypes can easily have more than one regex in them and 3 super-simple ones might perform better than one crazy-complicated one.

carasso · ‎04-29-2011

If you use a filename that has a date in it, that date will be used (if there are no timestamps on your events).

For example, if you rename "dispo.log.P" to "dispo.20101020.log.P" those events should be indexed as occurring on Oct 20, 2010.

Add date to the timestamp of an event

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!