https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326627#M60701 <P>You can do it in search like this:</P> <PRE><CODE> ...| eval _time=if(host=server_2,_time+13,_time) | convert ctime(_time) </CODE></PRE> <P>_time equals (if server_2, add 13s to_time, else use _time)</P> <P>The eval will end up changing _time to epoch in visualizations... add the convert to swap it back to human readable format.</P> <P>You can do it in search time props like this (maybe, just not sure if it works with _time)</P> <PRE><CODE> [host::server_2] EVAL-_time = _time+13 </CODE></PRE> <P>Cheers,<BR /> JKAT</P> Tue, 29 Sep 2020 15:40:55 GMT jkat54 2020-09-29T15:40:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326626#M60700 <P>Given:<BR /> I have two log files (file_1, file_2)<BR /> Each from a different server (server_1, server_2).<BR /> The servers are not property synchronized via ntpd. (Example: server_1 is 13 seconds ahead of server_2.)<BR /> I do not have the ability to adjust or correct the server times.<BR /> I am the Splunk user, not the Splunk administrator.</P> <P>Problem: After ingesting each of the log files, the events are off by 13 seconds (obviously).</P> <P>Question: Can I adjust the _time for all events in source=file_2 by 13 seconds so the events line up correctly in search results, graphs, etc.?</P> Tue, 29 Sep 2020 15:40:50 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326626#M60700 nageshkumarapp 2020-09-29T15:40:50Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326627#M60701 <P>You can do it in search like this:</P> <PRE><CODE> ...| eval _time=if(host=server_2,_time+13,_time) | convert ctime(_time) </CODE></PRE> <P>_time equals (if server_2, add 13s to_time, else use _time)</P> <P>The eval will end up changing _time to epoch in visualizations... add the convert to swap it back to human readable format.</P> <P>You can do it in search time props like this (maybe, just not sure if it works with _time)</P> <PRE><CODE> [host::server_2] EVAL-_time = _time+13 </CODE></PRE> <P>Cheers,<BR /> JKAT</P> Tue, 29 Sep 2020 15:40:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326627#M60701 jkat54 2020-09-29T15:40:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326628#M60702 <P>You will have to regularly check the time drift and update accordingly (or automate it) because unchecked system time will continue to drift further </P> <P>You COULD also use the index_time instead of _time for your searching, though that could have a little bit of latency (but hopefully not 13 seconds worth). That won't require the updating of the time drift.</P> Fri, 08 Sep 2017 15:24:57 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326628#M60702 cpetterborg 2017-09-08T15:24:57Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326629#M60703 <P>I concur!!!</P> Sun, 10 Sep 2017 12:07:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Adjusting-source-file-timestamp/m-p/326629#M60703 jkat54 2017-09-10T12:07:51Z