https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527639#M88980 <P>We have a report from a system that needs to be indexed into splunk on monthly basis. This report is generated on 1st day of every month.&nbsp;</P><P>Our requirement is to index events in this report on last day of previous month. So i want to index data from this report with timestamp of previous day.</P><P>Is this possible?</P> Tue, 03 Nov 2020 06:23:43 GMT rajeshjlnt 2020-11-03T06:23:43Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527639#M88980 <P>We have a report from a system that needs to be indexed into splunk on monthly basis. This report is generated on 1st day of every month.&nbsp;</P><P>Our requirement is to index events in this report on last day of previous month. So i want to index data from this report with timestamp of previous day.</P><P>Is this possible?</P> Tue, 03 Nov 2020 06:23:43 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527639#M88980 rajeshjlnt 2020-11-03T06:23:43Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527645#M88982 <P>Hi</P><P>I'm not sure if I understood right your question, but you could get last month events by the next query:</P><LI-CODE lang="markup">index=_internal earliest=-1mon@mon latest=-0mon@mon | stats earliest(_time) as eTime latest(_time) as lTime | eval eTime = strftime(eTime, "%F %T %z"), lTime = strftime(lTime, "%F %T %z") | table eTime lTime</LI-CODE><P>To show reports day e.g. as last day of previous month just take day part of lTime (I suppose that you have events on it).</P><P>r. Ismo</P> Tue, 03 Nov 2020 07:07:23 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527645#M88982 isoutamo 2020-11-03T07:07:23Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527650#M88985 <P>Thanks for your response&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;, but my question is to manipulate timestamp during indexing events.</P><P>During event indexing there are settings in sourcetype like Auto, Current, Advanced and Configuration file. I would like to know if there is a way to set timestamp to be (current time - 1 day)</P> Tue, 03 Nov 2020 07:35:19 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527650#M88985 rajeshjlnt 2020-11-03T07:35:19Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527654#M88987 I haven't try this but there is INGEST_EVAL on transforms.conf (<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf</A>) which can help you.<BR />r. Ismo Tue, 03 Nov 2020 07:58:29 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527654#M88987 isoutamo 2020-11-03T07:58:29Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527694#M88992 <P>thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;for showing right direction</P> Tue, 03 Nov 2020 12:13:36 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527694#M88992 rajeshjlnt 2020-11-03T12:13:36Z https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527695#M88993 <P>I added following in props.conf and transforms.conf to get the desired results,</P><P>transforms.conf</P><P>[timestamp-currenttime-oneday]<BR />INGEST_EVAL = _time=time() - 86400</P><P>props.conf</P><P>[mysourcetype]<BR />TRANSFORMS-gettime = timestamp-currenttime-oneday</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 03 Nov 2020 12:21:23 GMT https://community.splunk.com/t5/Getting-Data-In/Index-events-with-timestamp-of-previous-day/m-p/527695#M88993 rajeshjlnt 2020-11-03T12:21:23Z