https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273472#M52477 <P>Was this change made on the UF sending the data or the indexer? Indexed extractions have to be where the data is ingested, so if it's a UF then the props have to be there.</P> Wed, 14 Dec 2016 17:21:41 GMT beatus 2016-12-14T17:21:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273469#M52474 <P>I have following logs from a customer device:</P> <PRE><CODE>0080101c40ba,10.10.1.2,1481421584,host1.labtest.com,error-message1,sev1 0080101c4114,10.33.1.3,1481421595,host2.labtest.com,error-message2,sev2 </CODE></PRE> <P>props.conf</P> <PRE><CODE>[csv] FIELD_DELIMITER = , FIELD_NAMES = transactionId, hostIp, time, fqdn, MsgType, Severity TIME_PREFIX = ^(?:[^,]*,){2} MAX_TIMESTAMP_LOOKAHEAD = 10 TIME_FORMAT = %s SHOULD_LINEMERGE = False pulldown_type = 1 REPORT-getfields = testlog_fields </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[testlog_fields] DELIMS="," FIELDS = "transactionId", "hostIp", "time", "fqdn", "MsgType", "Severity" </CODE></PRE> <P>The log files I received have incorrect timestamp on it, meaning not the time when the logs were generated. After ingested the logs, I noticed Splunk is using the log ingest time for index time (as shown in _time). Is there anyway to force Splunk use the epoch time inside the logs as Index time so that I can search for "last 7 days", "last month" event?</P> <P>Thanks </P> Wed, 14 Dec 2016 15:18:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273469#M52474 jgcsco 2016-12-14T15:18:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273470#M52475 <P>jgcsco,<BR /> It looks like the "csv" sourcetype utilizes "INDEXED_EXTRACTIONS" by default. This causes much of the props work to happen at the very first splunk instance the data hits, including Universal forwarders. If that's the case, you'd want to put your props there and utilize a few other config settings. Namely:</P> <BLOCKQUOTE> <P>[csv]<BR /> FIELD_DELIMITER = ,<BR /> FIELD_NAMES = transactionId, hostIp, time, fqdn, MsgType, Severity<BR /> MAX_TIMESTAMP_LOOKAHEAD = 10<BR /> TIME_FORMAT = %s<BR /> TIMESTAMP_FIELDS = time<BR /> INDEXED_EXTRACTIONS = csv</P> </BLOCKQUOTE> <P>Note the "TIMESTAMP_FIELDS" and "INDEXED_EXTRACTIONS". I'm setting "INDEXED_EXTRACTIONS" to be verbose and avoid confusion in the future. Additionally you do not need a timeprefix as you're specifying the specific field for Splunk to look at for a time stamp.</P> <P>You can check with btool what's being set on your sourcetype:</P> <BLOCKQUOTE> <P>splunk btool props list csv --debug</P> </BLOCKQUOTE> <P>This will show all the props settings for that stanza and where they're set.</P> Tue, 29 Sep 2020 12:05:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273470#M52475 beatus 2020-09-29T12:05:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273471#M52476 <P>I added the following two line to props.conf</P> <P>TIMESTAMP_FIELDS = time<BR /> INDEXED_EXTRACTIONS = csv</P> <P>And here is the output:<BR /> /opt/splunk/etc/apps/search/local# /opt/splunk/bin/splunk btool props list csv --debug<BR /> /opt/splunk/etc/apps/search/local/props.conf [csv]<BR /> /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True<BR /> /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8<BR /> /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /opt/splunk/etc/system/default/props.conf HEADER_MODE =<BR /> /opt/splunk/etc/system/default/props.conf INDEXED_EXTRACTIONS = csv<BR /> /opt/splunk/etc/system/default/props.conf KV_MODE = none<BR /> /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true<BR /> /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true<BR /> /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800<BR /> /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256<BR /> /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128<BR /> /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =<BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =<BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard<BR /> /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = False<BR /> /opt/splunk/etc/system/default/props.conf TRANSFORMS =<BR /> /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000<BR /> /opt/splunk/etc/system/default/props.conf category = Structured<BR /> /opt/splunk/etc/system/default/props.conf description = Comma-separated value format. Set header and other settings in "Delimited Settings"<BR /> /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false<BR /> /opt/splunk/etc/system/default/props.conf maxDist = 100<BR /> /opt/splunk/etc/system/default/props.conf priority =<BR /> /opt/splunk/etc/system/default/props.conf pulldown_type = true<BR /> /opt/splunk/etc/system/default/props.conf sourcetype =</P> <P>After restart Splunk, I am still not seeing the _time change to match the epoch time in the logs. Do I miss anything else?</P> <P>Thanks</P> Tue, 29 Sep 2020 12:07:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273471#M52476 jgcsco 2020-09-29T12:07:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273472#M52477 <P>Was this change made on the UF sending the data or the indexer? Indexed extractions have to be where the data is ingested, so if it's a UF then the props have to be there.</P> Wed, 14 Dec 2016 17:21:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273472#M52477 beatus 2016-12-14T17:21:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273473#M52478 <P>This is a single node environment. The log files in on the directory on the splunk node. </P> Wed, 14 Dec 2016 18:51:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273473#M52478 jgcsco 2016-12-14T18:51:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273474#M52479 <P>Is the time off by a set of hours, as in does it look like the timezone is wrong but the minutes and seconds are correct?</P> Wed, 14 Dec 2016 18:57:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273474#M52479 beatus 2016-12-14T18:57:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273475#M52480 <P>The time shows up in Splunk is the time the log being ingested. e.g there are over 100 log files ingested yesterday which have logged event information for the last two weeks. I am looking for if there is a way to have Splunk can use the epoch time associated with each event in inside the log files as "_time". </P> Wed, 14 Dec 2016 19:03:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273475#M52480 jgcsco 2016-12-14T19:03:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273476#M52481 <P>Time is an index time operation, so modifying these settings won't change what's already in Splunk. Have you tested on new data after modifying the settings?</P> Wed, 14 Dec 2016 19:13:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273476#M52481 beatus 2016-12-14T19:13:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273477#M52482 <P>thanks for pointing it out. It is working now! Thanks a lot for your help!</P> Wed, 14 Dec 2016 21:17:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-force-Splunk-use-epoch-time-in-the-log-file-as-index-time/m-p/273477#M52482 jgcsco 2016-12-14T21:17:33Z