https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224345#M43924 <P>Hello,</P> <P>I am trying to use a timestamp that is NOT _time. My time stamp is Transaction_Date. When I click the small magnifying glass near the timepicker in the search command, I am getting all results , which means it picking _time and Not Transaction date. I tried all the below commands and still not working. can you please help.</P> <PRE><CODE>index=base search... | eval _time=strptime(Transaction_Date,"%Y-%m-%d %H:%M:%S.%N") </CODE></PRE> <P>I just want the magnifying glass to pick Transaction_Date timestamp and Not _time originally indexed.</P> Tue, 29 Sep 2020 10:32:06 GMT splunk_hvijay 2020-09-29T10:32:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224337#M43916 <P>We ended up using the following - </P> <PRE><CODE>base search | eval _time=strptime(eventStartTime,"%Y-%m-%d %H:%M:%S.%N") </CODE></PRE> <P>Which works perfectly. </P> <P>Is there a way to set it up in the configuration, so eventStartTime is assigned to _time?</P> Wed, 27 Apr 2016 19:22:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224337#M43916 ddrillic 2016-04-27T19:22:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224338#M43917 <P>This should be configured during the event ingestion. COntact your Splunk Admin to set the timestamp parsing for the sourcetype that you're using, to permanently assign eventStartTime to _time.</P> Wed, 27 Apr 2016 19:36:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224338#M43917 somesoni2 2016-04-27T19:36:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224339#M43918 <P>If all events from this source have eventStartTime you can setup a props.conf setting for that source/sourcetype that tells splunk what timestamp to use when assigning the _time value.</P> <P>Based on the event you provided , and assuming that your events are not multi-lined, you could add this to your indexers props.conf. </P> <PRE><CODE>[source::/opt/log/yourLog] TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N TIME_PREFIX=eventStartTime= SHOULD_LINEMERGE = false </CODE></PRE> Wed, 27 Apr 2016 19:41:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224339#M43918 cramasta 2016-04-27T19:41:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224340#M43919 <P>It would help to see some sample events. In general, however, you probably need to adjust the settings for that sourcetype in your props.conf file. There may be another timestamp prior to eventStartTime that Splunk is finding and using for _time. In particular, check out the <CODE>TIME_PREFIX</CODE>, <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>, <CODE>TIME_FORMAT</CODE> attributes.</P> Tue, 29 Sep 2020 09:33:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224340#M43919 richgalloway 2020-09-29T09:33:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224341#M43920 <P>An event looks like - </P> <PRE><CODE>level=WARN [http-/xxx.xx.xxx.xxx:8080-1]|logTime=2016-04-28 12:51:57,250 UTC |e2eElapsedTime=3|protocol=http|ext.request.header.x-forwarded-server=xxxxx.xxxx.xxxx.com|host=xxxxxx.xxx.com/10.106.204.36|ext.request.header.content-length=null|operationStatus=SUCCESS|ext.request.header.postback-url=null|eventStartTime=2016-04-28 07:51:57.246|ext.request.header.x-forwarded-host=xxx.xx.xxx.xxx/xxx.xx.xxx.xxx|ext.request.header.user-agent=Apache-HttpClient/4.5 (Java/1.7.0_80)|destination=http://xxxx.xxx.xxx.com/xxxx/v1.0/responsestatus/xxxxxx/ef032e5b-39d0-49d8-b31a-0407f5e67926|eventElapsedTime=3|operationDetail=SUCCESS-200-SUCCESSFUL-OK|node=56a126c8f3d723a3c6004070|environment=xxxxx|ext.request.header.content-type=application/json|transID=|component=cisl|external_correlation_id=null|ext.request.header.x-client-ip=10.237.76.72/10.237.76.72|ext.request.header.clientid=null|src=10.237.76.72|activity=GET-&gt;/xxxx/v1.0/responsestatus/clinicalauthorizations/ef032e5b-39d0-49d8-b31a-0407f5e67926 </CODE></PRE> <P>So, logTime appears before eventStartTime.</P> Thu, 28 Apr 2016 14:07:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224341#M43920 ddrillic 2016-04-28T14:07:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224342#M43921 <P>Really great. I just made the change and restarted Splunk. Is there a "confirmation", in a sense, in a log file, for example, which acknowledges that the config change takes place?</P> Thu, 28 Apr 2016 15:29:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224342#M43921 ddrillic 2016-04-28T15:29:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224343#M43922 <P>qq, if the <CODE>eventStartTime</CODE> field doesn't exist in the event, what would be the behavior? </P> Mon, 09 May 2016 18:45:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224343#M43922 ddrillic 2016-05-09T18:45:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224344#M43923 <P>Taking a guess here but I believe it would use the time of the previous event. Think you would see a warn message like this</P> <P>05-09-2016 18:57:01.213 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon May 9 18:57:00 2016)</P> Mon, 09 May 2016 18:58:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224344#M43923 cramasta 2016-05-09T18:58:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224345#M43924 <P>Hello,</P> <P>I am trying to use a timestamp that is NOT _time. My time stamp is Transaction_Date. When I click the small magnifying glass near the timepicker in the search command, I am getting all results , which means it picking _time and Not Transaction date. I tried all the below commands and still not working. can you please help.</P> <PRE><CODE>index=base search... | eval _time=strptime(Transaction_Date,"%Y-%m-%d %H:%M:%S.%N") </CODE></PRE> <P>I just want the magnifying glass to pick Transaction_Date timestamp and Not _time originally indexed.</P> Tue, 29 Sep 2020 10:32:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-time-to-a-specific-field/m-p/224345#M43924 splunk_hvijay 2020-09-29T10:32:06Z