Videos

  • Add Videos
  • View All

Latest Activity

Profile Icon
Greg Vallenari is now a member of splunkninja Sunday
Welcome Them!
Profile Icon
Mike Hartford commented on Michael Wilde's video
Got it thanks
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Michael Wilde commented on Michael Wilde's video
Sure...  When you do group mapping, map them to groups that don't have the domain admins in them.  I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk.  Can I keep the domain admins out of Splunk if I have LDAP authentication???
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 7
Profile Icon
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,   Glad to have another Splunker.  I've been useing Splunk for 2 years and am hooked.  I leared how to spell splunk and | transaction too.  you'll learn that one soon.   Go over to Splunk…
Feb 7
Profile Icon
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
  Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!   The team that found them must have special bat senses and highly tooned Splunking skills   I like to wear Extra Lovable…
Feb 7
Profile Icon
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
Status posted by Jonathan Hawes Feb 7
0 Comments
Profile Icon
Jonathan Hawes is now a member of splunkninja Feb 7
Welcome Them!
Jordan Schroeder

custom time series on x-axis

I have a custom app dumping a custom log to file every night that includes all events in that app. Each log entry has a time stamp, but Splunk only indexes the creation date of the file.

What Splunk reports is that there are 1000 events at midnight, instead of a 1000 events over the year.

How do I create a search/report that uses the timestamp from each entry as the x-axis?

Thank you.

Tags: timechart

Views: 24

Reply to This

Replies to This Discussion

Jordan SchroederPermalink Reply by Jordan Schroeder on February 12, 2010 at 9:54pm
Update: I was able to use a props.conf file to specify what the timestamp should be, and used
TIME_FORMAT=%m/%d/%Y

Now, anything timestamped before 8/28/2004 isn't being recognized as a timestamp and Splunk is grabbing the date of the log file instead. So, now I have 500 events spread out over 6 years (a good thing) and 500 events being recorded as happening today (a bad thing).

Any help on the timestamp issue?
Michael WildePermalink Reply by Michael Wilde on February 15, 2010 at 1:40pm
If you want splunk to recognize older data, you can put a setting In your props.conf, just add
MAX_DAYS_AGO =

Set that to the number of days, 2190 would be six years. More or less, now you know which way to go.

stop splunk, clean your index (splunk clean eventdata -index main), restart splunk.

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service