Just downloaded Splunk on my laptop and am trying it out on a log file.
I am at: Home » Add data » Files & directories » Data preview
Each line in the log looks like this:
EVENT: code_point Label: 0x12345678 Handle: 0x98760abc STAMP: 784523000.
The timestamp is at the end (and ends with a dot), and the value is "microseconds since boot".
I can't figure out the right combination of preface and strptime patterns to get Splunk to parse my timestamps. Suggestions?
I suggest that since "boot time" is a moving target, there will be no way for Splunk to come up with an absolute time stamp for that event. In this instance, Splunk will default to "now" for the event time for that log line. You can still search for the value of the STAMP field, and obtain other useful insights, but knowing exactly when in time that event occurred may not be possible.
It's not recognizing time stamps because to its way of thinking there aren't any. You mentioned that you're indexing an existing log file. In this instance, yes, you're right that Splunk will set the event time to be the last modification time of the file. If you're monitoring a live (i.e. changing) file, if Splunk can't find a full time stamp for the event, it will use "now" as the event time of that new line.
I don't know of a way to treat the stamp in a single event as an offset from a seed time.
OK, but my first problem is that Splunk is not recognizing the timestamps at all. Splunk gives every entry a timestamp of the file creation time, even though the last entry occurred an hour after the first.
I could seed the log with an entry that gives the absolute time when boot happened. What format should I use for this seed entry? And how do I get Splunk to read the STAMP: field as a microsecond offset from the seed?