topic Re: How to generate a proper timestamp on events? in Getting Data In

How to generate a proper timestamp on events?

dominiquevocat — Wed, 30 Nov 2016 17:09:50 GMT

I have data where i get a date/timestamp as a string and an offset as a string from some API.

I manage to generate the _time field and it shows properly in the event view and stuff like time based drilldown (plus minus n seconds) works.

However only the field _time is available on the event and the date_hour etc fields do not show up, thus timechart etc won't work.

I tried to generate the timestamp subfields and append them to the event but they are not visible in Splunk.

What do i need to take care of to get proper events with a proper timestamp?

Re: How to generate a proper timestamp on events?

niketn — Tue, 29 Sep 2020 11:57:32 GMT

One of the crude options in our case would be to overwrite _time with field_time. Provided field_time is time stored in string format. PS: The time format below is assuming string date time string is in YYYY/MM/DD HH:MM:SS format. You can use your own time formatting based on your exiisting field_time values.
| eval _time= strptime(field_time,"%Y/%m/%d %H:%M:S") | timechart ...

If field_time contains epoch time and not string time then direct assignment should work:
** | eval _time=field_time | timechart **...

Since identification of exact time for various event is most crucial for Splunk, ideally, _time should be parsed and identified directly during data ingestion for optimal performance and accurate results. Any modifications to _time field afterwards may lead to unwanted results and issues.

Re: How to generate a proper timestamp on events?

dominiquevocat — Fri, 02 Dec 2016 16:57:13 GMT

doh'

if i just send it as epoch its fine. Erm.

Re: How to generate a proper timestamp on events?

dominiquevocat — Sun, 04 Dec 2016 19:21:31 GMT

Just return _time as epoch.