<div id="readability-page-1" class="page"><div id="post-body-2076164363809718998" itemprop="articleBody">
<div><p><a href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/HowSplunkextractstimestamps?_gl=1*zz67d5*_gcl_au*MTI3MjgwNTUzNC4xNzczMzM2NDc2*FPAU*MTI3MjgwNTUzNC4xNzczMzM2NDc2*_ga*MTA0ODY4NTA1Ny4xNzY1NTUwNzMz*_ga_5EPM2P39FV*czE3NzM1Nzk1MDYkbzQ3JGcxJHQxNzczNTgxNTQ1JGozMCRsMCRoMTQ2NjEwMDc3Mw..*_fplc*UHNHS25uQkJjcWpaeHVTU1ByeWJIc016NklqT3ZJbHIlMkZIJTJGT045SThSdXk0MzA1OUNwS2JPalVMM01PY2c2YTdsWTJQRjR5ZnMxbmFmaTBEblNZUmN2azdEcWtGT2FFTW5KNHBZZ21ma2JrbUlzVEZiQnhzQzlMY0JKSjJPdyUzRCUzRA..">스플렁크는 이벤트 내에서 시간 정보를 찾고, 없으면 이벤트 파일명에서 찾는다고 한다</a>. 그런데 파일명에도 시간 정보가 없으면?</p></div><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieIANJUy9AebrY2InO1wVW_2vlC9e6WQ9aW7P7D7cI7AIBXcW4lllJg_xQk3GoB7N2FfPGQE4VUwXpwVswyV_Oe0eG03YC5Fmt-MJTB8L7AmH9egB56uF_dsifQxU6CcKVnuEIuJw_QSOwkSiHd6BESL8wt4n8lj5xf_fS5MSfRfaVBf536U_CG0Ge3y_U/s1280/data_with_no_time.png"><img data-original-height="600" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieIANJUy9AebrY2InO1wVW_2vlC9e6WQ9aW7P7D7cI7AIBXcW4lllJg_xQk3GoB7N2FfPGQE4VUwXpwVswyV_Oe0eG03YC5Fmt-MJTB8L7AmH9egB56uF_dsifQxU6CcKVnuEIuJw_QSOwkSiHd6BESL8wt4n8lj5xf_fS5MSfRfaVBf536U_CG0Ge3y_U/s16000/data_with_no_time.png"></a></p><p><span><a name="more"></a></span>시간 정보가 없는 2,009개의 ids 로그 연동. 첫 257개의 로그를 하나의 이벤트로 인식한다.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihdWBonsavSrWGlxx_hA8pADVA53xKudt4aebmPwPup_1StU4lbkmhOpQ2y0Et0NqKLRctM6vB79lK-sOiZaOxYfnjteRc542RG5KWWl5lkIoO580Mh63a06f9VFiG9DufEz3toL_NvaUKhj6tmcsWWOL4NcfqvWdud5PjqZhSW5_hNQziQWhBSr3ytPnr/s1190/ingest_with_no_time.png"><img data-original-height="720" data-original-width="1190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihdWBonsavSrWGlxx_hA8pADVA53xKudt4aebmPwPup_1StU4lbkmhOpQ2y0Et0NqKLRctM6vB79lK-sOiZaOxYfnjteRc542RG5KWWl5lkIoO580Mh63a06f9VFiG9DufEz3toL_NvaUKhj6tmcsWWOL4NcfqvWdud5PjqZhSW5_hNQziQWhBSr3ytPnr/s16000/ingest_with_no_time.png"></a></p><p>샘플을 바꿔봤는데 전부 똑같다. 시간 정보가 없으면 무조건 첫 257개 로그를 하나의 이벤트로 인식.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUrZtiOixeicBXtVtsh1OJ8zWn1n1ZXqAlE-5CC2s5KvMk4mutlSGWvtDF2GhIFizV5PgM4lRs3f3P94LywFEkZdGKzIpz88Xh0f_v6wiukx270ahIUdjUcBG527Gna75g4lXjWbLNL1N4rJS-YlNLScjqq-q72j6EIzNRAGNJDXwO1PHgQl3EtQIPD9Kc/s1280/ingest_with_no_time2.png"><img data-original-height="492" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUrZtiOixeicBXtVtsh1OJ8zWn1n1ZXqAlE-5CC2s5KvMk4mutlSGWvtDF2GhIFizV5PgM4lRs3f3P94LywFEkZdGKzIpz88Xh0f_v6wiukx270ahIUdjUcBG527Gna75g4lXjWbLNL1N4rJS-YlNLScjqq-q72j6EIzNRAGNJDXwO1PHgQl3EtQIPD9Kc/s16000/ingest_with_no_time2.png"></a></p><p>원본 구조를 유지하려면 '이벤트 구분 정책 &gt; 모든 행' 또는</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEize69rypXPf1H_8IA4O2lcxuINGOoK4wzlsIN_GFwbQSkaGqHO2WfKdWKIRHnYdYLWt92o44Fsa9LN9NckGcWAnjdlLKE8CLUU_3pqiQcexLD4QgiLCEomGYe38V8VG4Nf0mwcW7kkQOx45uS-IA8l05F2Ri0-cItikVc_wL9vDtj4ooiaKQ_BKNNL-jA3/s1237/ingest_with_no_time3.png"><img data-original-height="720" data-original-width="1237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEize69rypXPf1H_8IA4O2lcxuINGOoK4wzlsIN_GFwbQSkaGqHO2WfKdWKIRHnYdYLWt92o44Fsa9LN9NckGcWAnjdlLKE8CLUU_3pqiQcexLD4QgiLCEomGYe38V8VG4Nf0mwcW7kkQOx45uS-IA8l05F2Ri0-cItikVc_wL9vDtj4ooiaKQ_BKNNL-jA3/s16000/ingest_with_no_time3.png"></a></p><p>'타임스탬프 &gt; 현재' 옵션이 적용된 sourcetype을 만들어야 함.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtjnYFdkjljk5CDmOSANGKwa41DrjSgirFnw5cYNIz4eUBS3SetCN6XejNE4lIhw7Aq3N4rs7PtVTxshWOJg-hEscFqtu4kTFBjLJB3N5TAFlwFbQonQ-cLxx49YKjFX-C5XuoKunVTrvqYZZCx3r0eVMJj5TQ-_wq8J1lEqLNO2ziJPLEC4ekEhwpa3xX/s1237/ingest_with_no_time4.png"><img data-original-height="720" data-original-width="1237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtjnYFdkjljk5CDmOSANGKwa41DrjSgirFnw5cYNIz4eUBS3SetCN6XejNE4lIhw7Aq3N4rs7PtVTxshWOJg-hEscFqtu4kTFBjLJB3N5TAFlwFbQonQ-cLxx49YKjFX-C5XuoKunVTrvqYZZCx3r0eVMJj5TQ-_wq8J1lEqLNO2ziJPLEC4ekEhwpa3xX/s16000/ingest_with_no_time4.png"></a></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5wzKWC4UWujZciMn0pQzjzmOqZJ26vCgXtNSSUtcyXFR23ysk8PM4D3LgovTCMkpprkShjWUYxMJUPlwWkKN50teDMiVHKR8tztk9YpeqirhXA97cFcPrPhXjJMFQ-SKGSmWWFYMGQIZHJNHNiD-Y6xNQY-v-zU6SG5lNWuFB0FhrJIbXlbaUkPCfo5Xk/s1280/ingest_with_no_time5.png"><img data-original-height="453" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5wzKWC4UWujZciMn0pQzjzmOqZJ26vCgXtNSSUtcyXFR23ysk8PM4D3LgovTCMkpprkShjWUYxMJUPlwWkKN50teDMiVHKR8tztk9YpeqirhXA97cFcPrPhXjJMFQ-SKGSmWWFYMGQIZHJNHNiD-Y6xNQY-v-zU6SG5lNWuFB0FhrJIbXlbaUkPCfo5Xk/s16000/ingest_with_no_time5.png"></a></p><p><b>관련 글</b></p><div><ul><li><a href="https://kangmyounghun.blogspot.com/2021/03/splunk.html">Splunk의 데이터 전처리</a></li><li><a href="https://kangmyounghun.blogspot.com/2025/10/splunk-sourcetype.html">Splunk의 sourcetype 변경</a></li></ul></div>

</div></div>

케세라세라

스플렁크는 이벤트 내에서 시간 정보를 찾고, 없으면 이벤트 파일명에서 찾는다고 한다. 그런데 파일명에도 시간 정보가 없으면?
시간 정보가 없는 2,009개의 ids 로그 연동. 첫 257개의 로그를 하나의 이벤트로 인식한다.
샘플을 바꿔봤는데 전부 똑같다. 시간 정보가 없으면 무조건 첫 257개 로그를 하나의 이벤트로 인식.
원본 구조를 유지하려면 '이벤트 구분 정책 > 모든 행' 또는
'타임스탬프 > 현재' 옵션이 적용된 sourcetype을 만들어야 함.
관련 글
Splunk의 데이터 전처리
Splunk의 sourcetype 변경

data with no timestamp

댓글