topic Re: timestamp=none in Getting Data In

timestamp=none

gcusello — Tue, 29 Sep 2020 07:56:52 GMT

I acquired some logs from a scrip (close to ps.sh) with a timestamp correctly recognized at index time.
The problem is that the "timestamp" field is always equal to "none" so I cannot have the other date fields (date_wday, date_hour, etc...).
I tried to configure the TIMESTAMP_FORMAT but I always acquire events with "timestamp=none".
Anyone has any idea?
thank you in advance.
Bye.
Giuseppe

Re: timestamp=none

woodcock — Fri, 20 Nov 2015 16:03:01 GMT

When you use a scripted input the default is to use now as the timestamp so the usual timestamp normalization is not necessary, not done, and all the date* fileds are not created (which are ALWAYS WRONG anyway so they should NEVER be used; you should always create your own with eval date_whatever = strftime(_time, "whatever")). Additionally, in such a circumstance, a timestamp field set to value none is created. There is no need to configure anything; this is all normal. Your events (timestamps) are fine.

Also, see this Q&A about those fields (and how and why to create your own):
https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

Re: timestamp=none

gcusello — Fri, 20 Nov 2015 16:32:19 GMT

Ok I extracted weekday and hours from _time using eval.
thank you.
Giuseppe