Hi ,
We need to add YYYY to my events through configuration files, how can we achieve this.
can some please give example of doing this.My sample logs looks like below
Here below, as logs doesn't have YYYY, data is not ingesting properly.
44168:M 15 Jul 00:58:45.288 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:45.288 - 10 clients connected (1 slaves), 675337520 bytes in use
44168:M 15 Jul 00:58:50.298 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:50.298 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:58:55.307 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:55.307 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:00.315 - 10 clients connected (1 slaves), 675337472 bytes in use
44168:M 15 Jul 00:59:05.326 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:05.326 - 10 clients connected (1 slaves), 675411168 bytes in use
44168:M 15 Jul 00:59:10.339 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:10.339 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:15.346 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:15.346 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:59:20.359 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:20.359 - 10 clients connected (1 slaves), 675337520 bytes in use
Try this in props.conf:
[YourSourceTypeHere]
TIME_PREFIX = ^\d+:\w+\s+
TIME_FORMAT = %d %b %H:%M:%S.%3N
If the year is missing, then Splunk will assume "this year" (or "last year" if in January and it sees December stuff), so long as you are not sending in stuff that is months old. Put this on your indexers and restart splunk instances there and then all NEW data will be correct (old data will stay wrong).
Specify the time format in props.conf explicitly (without year) and it should work fine. Something like:
[yoursourcetype]
TIME_PREFIX = ^\d+:M
TIME_FORMAT = %d %b %T.%3n
Splunk will assume the current year at the time of indexing in this case I believe.
Why do you think that you need this?
Because, while ingesting data..since my logs does not have Year, Splunk is not ingesting any data except the time frame (00:00:00 to 00:59:59).
Since it does not have year , it is considering Hour as date and we are getting incorrect time
sample logs be;low
Time Format as 1:58:50 --- Time it considered as 7/13/15 .But it shoud be as 7/15/2016.
7/13/15 1:58:50.298 PM 44168:M 15 Jul 1:58:50.298 - 10 clients connected (1 slaves), 675337448
7/16/15 4:59:00.315 PM 44168:M 15 Jul 4:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
I think an easy way that could then be easily changed in the future would be by using SEDCMD
SEDCMD-year = s/:M/:M 2016/g
I would need to do this in timeFormat in props.conf?
Yes indeed
And then reload data