topic Re: Using a field within a log for the true timestamp in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256812#M49363 <P>The below config in your props.conf on the indexer/hf should do the trick</P> <PRE><CODE>[unique_stanza_name] TIME_PREFIX = timestamp= TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N </CODE></PRE> <P>Verify correct stanza name, restart splunk service on indexer. All <STRONG><EM>new</EM></STRONG> data will have this field value for _time</P> Thu, 01 Sep 2016 16:23:07 GMT sundareshr 2016-09-01T16:23:07Z Using a field within a log for the true timestamp https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256811#M49362 <P>Here si the example log:</P> <PRE><CODE>Sep 1 11:23:48 HOSTNAME netflow: timestamp=2016-08-30T12:51:07.593 duration=1.246 proto=6 srcip=1.1.1.1 srcport=80 dstip=2.2.2.2 dstport=62018 inpkt=5 inbyte=724 outpkt=6 outbyte=815 fl=2 </CODE></PRE> <P>The fieldname "timestamp" is the true timestamp of the event. The first date in the log is just when the netflow data was converted.</P> <P>How do I use "timestamp" as the Splunk date/time? I know how to do timestamps when the times are the first part of the log, but not within it.</P> <P>Thanks!</P> Thu, 01 Sep 2016 15:51:08 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256811#M49362 aferone 2016-09-01T15:51:08Z Re: Using a field within a log for the true timestamp https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256812#M49363 <P>The below config in your props.conf on the indexer/hf should do the trick</P> <PRE><CODE>[unique_stanza_name] TIME_PREFIX = timestamp= TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N </CODE></PRE> <P>Verify correct stanza name, restart splunk service on indexer. All <STRONG><EM>new</EM></STRONG> data will have this field value for _time</P> Thu, 01 Sep 2016 16:23:07 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256812#M49363 sundareshr 2016-09-01T16:23:07Z Re: Using a field within a log for the true timestamp https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256813#M49364 <P>Works like a champ! Thanks for responding!</P> Thu, 01 Sep 2016 18:26:34 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-field-within-a-log-for-the-true-timestamp/m-p/256813#M49364 aferone 2016-09-01T18:26:34Z