Hi all.
I have a set of logs without a timestamp field, so, this value is taken from "Current time" on each sourcetype (16 in total). It is assumed that one of my users put these logs in a local folder once per day, and the Splunk forwarder transmits it to the indexer having a daily report of the information. Sadly, my user doesn't do this, and now, i have old data waiting to be indexed in a fixed date, i mean:
Oct3/log1.....log16
Oct4/log1.....log16
Oct5/log1.....log16
I have some reports showing the daily activity, so, i can't index all the data at the same time :(
Logs have the same name `log1.....log2`, doesn't include any date in their name.
Any suggestion to index data on a specific date? My dirty idea for now is stop Splunk server, change the server date, start Splunk and index one folder according to the date and repeat changing system date until complete the folders with fixed dates.
Thanks!
↧