topic Re: can we modify a wrong timestamp? in Getting Data In

can we modify a wrong timestamp?

attgjh1 — Thu, 07 Jun 2012 07:25:18 GMT

the default _time are actually at the time of indexing. however my logs have another time string which i have to separately extract now.

e.g

_time Date Time

05/06/2012 13:19:00.000 7/24/2011 1:47:05

basically im trying to create a timechart but span=1h seems to only affect _time. Any one has encountered such a situation before? I wan to apply it to "Time" field at the very least?

or is there any way to change _time to reflect the new time.

Re: can we modify a wrong timestamp?

Ayn — Thu, 07 Jun 2012 07:34:36 GMT

Do you want to:

Permanently change the _time value for events that are already in the index? That cannot be done.
Configure Splunk to properly recognize the timestamp so that _time will contain the correct timestamp in the future? Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
Just temporarily set the _time value to something else? That could be done by using eval before running timechart. I could update my answer with more details on how to do this if this is what you want to do.

UPDATE: So, if you want to go with option 3, you could do something like what I show below. I'm assuming that your fields called what you specified "Date" and "Time".

... | eval mytime=Date." ".Time | eval _time=strptime(mytime,"%m/%d/%Y %H:%M:%S") | timechart ...

After you've done the eval, the _time field that will be picked up by timechart is the one you just extracted from the Date and Time fields, instead of the actual timestamp that Splunk put on the event.

Re: can we modify a wrong timestamp?

attgjh1 — Thu, 07 Jun 2012 07:57:20 GMT

as long as i can walk around a solution to sort them hourly. still working a way around it cuz span works only on _time. 😕

is there a way to trick splunk to work and display a chart using Time Date instead? (probably something like ur 3rd suggestion which i have yet figure out how ) 😞

thanks alot!

Re: can we modify a wrong timestamp?

Ayn — Thu, 07 Jun 2012 08:19:45 GMT

Updated my answer.

Re: can we modify a wrong timestamp?

attgjh1 — Thu, 07 Jun 2012 08:41:56 GMT

thanks. i sort of understand your suggestion. im under the assumption that _time can be overwritten with eval?

hmm. ive tried it but it didnt work.here is my regex and my search line:

rex "(?i)^(?P[\d/]*) (?P[\d:]+)" | eval mytime=Date." ".Time | eval _time=strptime(mytime,"%m/%d/%Y %H:%M:%S") | table _time Date Time

somehow _time is now blank fields but i have the fields extracted correctly.

Re: can we modify a wrong timestamp?

Ayn — Thu, 07 Jun 2012 09:26:54 GMT

Exactly, you're overwriting the _time field with eval.

If the _time field is empty after running eval that's because the strptime expression couldn't be applied successfully. You need to check that the format from the mytime field matches the strptime format string.

Re: can we modify a wrong timestamp?

attgjh1 — Fri, 08 Jun 2012 00:39:19 GMT

Thanks alot.

Here's a cookie.

Re: can we modify a wrong timestamp?

imanpoeiri — Mon, 20 Jul 2015 08:38:51 GMT

you just received a cookie!