Hi, How can I configure Splunk to use the day/month and time from the file but pull the year from the filename? I have logs that contain the time, day/month at the start of every entry however, when set it to automatically detect the timestamp Splunk often sets the incorrect year. Also in addition to being in the filename, each log contains the year in the first log entry. Here is an example: The file name is #newsroom.20080826.txt
Session Start: Tue Aug 26 00:00:01 2008 Session Ident: #newsroom [00:00.29 8/26] 00:00ET *DJ US Diplomat Escapes Attack In Pakistan - Police
Thank you
Update
I tried adding the year to each line of every log file using a modifier program but it proved to be an impossible task due to the number of log files that span more than a decade. I'd also have to break them down by year before editing them. Going forward all log files entries include the year but my main concerns is the historical data. I just finished renaming the files so they start with the year in the filename and reindexing to see if that would help but to no avail. One thing has become clear though, the problem still appears random. Here is an example from a search:
The event time is 7/3/11 9:45:00.000 AM
The actual returned event: [09:45.01 7/3] <news> 09:45ET 13:45GMT <marketwatch> DJIA: 14,911.29 -21.12 [-0.14%] SPX: 1,608.55 -5.53 [-0.34%]
The source name: source=/Volumes/Logs/MLogs/2013-07-03 newsroom.financial.txt
The very first line of this log: Session Start: Wed Jul 03 00:00:00 2013
As you can see, even though the entry contains only hh:mm.ss m/d and no year, the year is included in the filename and the first line of the log itself. For the life of me I can't figure out where it would be getting 2011 for the event time. As I said it is random, many other logs will have the correct year for events while others have random years. that don't match the filename year or the year in the first line of the log.
