splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Jordan Schroeder

custom time series on x-axis

I have a custom app dumping a custom log to file every night that includes all events in that app. Each log entry has a time stamp, but Splunk only indexes the creation date of the file.

What Splunk reports is that there are 1000 events at midnight, instead of a 1000 events over the year.

How do I create a search/report that uses the timestamp from each entry as the x-axis?

Thank you.

Tags: timechart

Reply to This

Replies to This Discussion

Jordan Schroeder Permalink Reply by Jordan Schroeder on February 12, 2010 at 9:54pm
Update: I was able to use a props.conf file to specify what the timestamp should be, and used
TIME_FORMAT=%m/%d/%Y

Now, anything timestamped before 8/28/2004 isn't being recognized as a timestamp and Splunk is grabbing the date of the log file instead. So, now I have 500 events spread out over 6 years (a good thing) and 500 events being recorded as happening today (a bad thing).

Any help on the timestamp issue?

Reply to This

Michael Wilde Permalink Reply by Michael Wilde on February 15, 2010 at 1:40pm
If you want splunk to recognize older data, you can put a setting In your props.conf, just add
MAX_DAYS_AGO =

Set that to the number of days, 2190 would be six years. More or less, now you know which way to go.

stop splunk, clean your index (splunk clean eventdata -index main), restart splunk.

Reply to This

RSS

Videos

Latest Splunk Community Postings

Latest Splunk Forum Posts

Adding additional servers to *Nix app?

Create new Field and Assign existing field in transforms.conf

How do I remove Sources?

Clear Windows Logs?

Create new Field and Assign existing field in transforms.conf

© 2010   Created by Michael Wilde.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!