topic Re: Change timestamp of input data during indexing in Getting Data In

Change timestamp of input data during indexing

ashabc — Tue, 29 Sep 2020 15:07:33 GMT

I have a simple file that is generated by a script for which I do not have a control. The content of the file is like below

{
  "total": 15615
}
{
  "limit": 32250
}

Splunk can parse data well using sourcetype=json_no_timestamp
As a default the timestamp for the indexed data is the current system time

Is there a way I can modify the date time for this particular input (I am using file monitor)? I would like the date stamp to be 1 day behind than the current system time, as data in the file actually represents yesterday's information and not today's.

Re: Change timestamp of input data during indexing

sbbadri — Tue, 29 Sep 2020 15:07:44 GMT

@ashabc
try this,

you need to do this in the indexer

props.conf

[your sourcetypename]
EVAL-newDate = _time
EVAL-newDate1 = newDate - 86400
EVAL-_time = strftime(newDate1,"%Y-%m-%d %H:%M:%S")

I hope this helps

Re: Change timestamp of input data during indexing

ashabc — Tue, 01 Aug 2017 21:45:04 GMT

Thank you so much for such a prompt response. I tried this in props.conf, and it appears that splunk does not recognise time format any more after applying this conversion in props.conf for this sourcetype

Could this be because of strftime converts timestamp to string?

Re: Change timestamp of input data during indexing

ashabc — Tue, 29 Sep 2020 15:11:12 GMT

Actually I got it working using a search time modifier

eval _time=_time-86400

Thank you for pointing me to the right direction.