Logs with no timestamp incorrectly getting date fr...

gpullis · ‎07-25-2011

I have a sourcetype where Splunk is correctly getting the time stamp from the events, but the events don't contain a date.

Unfortunately the logs are named like:

rkj050508_d0373452.broomecounty.us.tracesql

Where 050508 is part of a username, and not a date. But, sure enough, Splunk thinks the events are from 2008-05-05.

Is there a way to get the date from index-time, but get the time from the timestamp?

jbsplunk · ‎07-25-2011

I would suggest using DATETIME_CONFIG = current in props.conf for the sourcetype the data is assigned. I think it has a decent chance at telling splunk to use the system current timestamp for the event. You can also try to specify a TIME_FORMAT, TIME_PREFIX, and MAX_TIMESTAMP_LOOKAHEAD in props.conf to tell splunk what the time format is, where to look for the timestamp, and how many characters the timestamp contains. If there isn't a date in the file, just don't specify one. The default behavior is that when the log doesn't contain a date, to revert to the mod time of the file for the date. Hopefully this will get you close to what you'd like to see.

http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition

gpullis · ‎08-06-2011

Actually, the default behavior appears to be to look for a date in the filename if it can't find a date in the event.

jbsplunk · ‎07-26-2011

I edited my answer to reflect what I would suggest given this information.

gpullis · ‎07-26-2011

Thanks, but what I'd like to do is use the timestamp from the log entry plus the modification date of the file to form the timestamp for the event. Is there a way to do that?

Logs with no timestamp incorrectly getting date from file name

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk