Is it possible to log the local time on the incoming logs ?
If the log's time is different those logs are missed out in the charts and I want to log the local time on to the logs. So, that whatever be the timezone or time on the logs it should show with the local time.
Thanks !!
You can define what timezone logs are in, using the TZ directive in props.conf
. More information here: http://docs.splunk.com/Documentation/Splunk/5.0/data/Applytimezoneoffsetstotimestamps
If you don't want to set that up but just want to be able to search on when the logs were actually indexed, you can use the _indextime
field that has this information. You could assign _time
to _indextime
to temporarily 'pretend' that it's the index time that constitutes the timestamp:
... | eval _time=_indextime | ...
Or you could do other stuff with the _indextime
field as you see fit. Note that this field is normally hidden due to its internal nature, so for instance doing | table _indextime
will not show anything. Using eval
you can make it visible.
... | eval indextime=_indextime | table indextime
You can define what timezone logs are in, using the TZ directive in props.conf
. More information here: http://docs.splunk.com/Documentation/Splunk/5.0/data/Applytimezoneoffsetstotimestamps
If you don't want to set that up but just want to be able to search on when the logs were actually indexed, you can use the _indextime
field that has this information. You could assign _time
to _indextime
to temporarily 'pretend' that it's the index time that constitutes the timestamp:
... | eval _time=_indextime | ...
Or you could do other stuff with the _indextime
field as you see fit. Note that this field is normally hidden due to its internal nature, so for instance doing | table _indextime
will not show anything. Using eval
you can make it visible.
... | eval indextime=_indextime | table indextime
Thanks Ayn.. I will open up a new question ..
Possibly, I don't know right now. Either way that's not part of this question, so please open up a new question if you want help with that.
one more question AYN..
when we get data over UDP, in that case "no_appending_timestamp = false" appends timestamp and host to the incoming logs.
Is there any attribute, which appends the timestamp & hosts to incoming logs, when we get data over TCP.
Yes, that's correct.
In that case,I need to define the TZ directive in props.conf ??
...but I suspect you meant that last part as a question?
The thing with setting _time
to _indextime
in your search is it happens AFTER the events have been extracted from the index. So if you search for events from the last 15 minutes, Splunk will first grab the events that have the ORIGINAL timestamp, before handing it over to the rest of the search pipeline. So even if you set _time
to something else after that, the events you will get first of all are the ones that match on the initial timestamp.
You're welcome.
Thanks for the answer Ayn !!
I have used "eval_time=_indextime" in savedsearches.conf of my app.
search = sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)| eval _time=_indextime| timechart sum(bandwidth)
It is working in case real time searches on my dashboard. But, when I am selecting last 15 minutes, or last 60 minutes etc. the chart is not showing any data.
Thanks..