https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105826#M22261 <P>In-depth documentation is <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction">http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction</A> and <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf</A></P> <P>In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.</P> Thu, 31 Jan 2013 09:32:03 GMT martin_mueller 2013-01-31T09:32:03Z https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105823#M22258 <P>Hi ,</P> <P>Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.</P> <P>1 ) a<BR /> 2 ) a1<BR /> 3 ) a2<BR /> 4 ) a3<BR /> 5 ) a4<BR /> 6 ) a5<BR /> 7 ) begin script 2013-01-15 02:26:27::Status :0<BR /> 8 ) Run_Job ::2013-01-15 02:26:27::pmcmd Return Code=0<BR /> 9 ) Run_Job ::2013-01-15 02:26:27::Workflow wf_FF completed Successfully..<BR /> 10 ) _Upd_DT_ID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wf_FF<BR /> 11 ) *** Warning: EOF on INPUT stream.<BR /> 12 ) *** Warning: EOF on INPUT stream.<BR /> 13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCE_FLAT_FILE_NAME updated successfully.<BR /> 14 ) *** Warning: EOF on INPUT stream.<BR /> 15 ) *** Warning: EOF on INPUT stream.<BR /> 16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.<BR /> 17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file<BR /> 18 ) ::2013-01-15 02:30:16::Successfully removed Temp file <BR /> 19 ) ::2013-01-15 02:30:16::End processing for workflow wf_FF<BR /> 20 ) ### Command completed.</P> <P>For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.</P> <P>Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.</P> <P>Thanks in advance.</P> <P>Anitha.</P> Mon, 28 Sep 2020 13:12:42 GMT https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105823#M22258 AnithaL 2020-09-28T13:12:42Z https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105824#M22259 <P>You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.</P> Thu, 31 Jan 2013 09:24:57 GMT https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105824#M22259 martin_mueller 2013-01-31T09:24:57Z https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105825#M22260 <P>Hi </P> <P>I am new to Splunk , not sure how to use TIME_PREFIX.</P> <P>Regards,<BR /> Anitha</P> Thu, 31 Jan 2013 09:28:26 GMT https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105825#M22260 AnithaL 2013-01-31T09:28:26Z https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105826#M22261 <P>In-depth documentation is <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction">http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction</A> and <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf</A></P> <P>In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.</P> Thu, 31 Jan 2013 09:32:03 GMT https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105826#M22261 martin_mueller 2013-01-31T09:32:03Z https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105827#M22262 <P>This might also be helpful: <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition</A></P> Thu, 31 Jan 2013 10:47:27 GMT https://community.splunk.com/t5/Getting-Data-In/TImestamp-assignment-for-an-event/m-p/105827#M22262 Ayn 2013-01-31T10:47:27Z