https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211405#M96218 <P>can you add some sample events?</P> Mon, 07 Nov 2016 13:18:20 GMT niketn 2016-11-07T13:18:20Z https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211404#M96217 <P>I have a source file with multiple dates and timestamp as separate fields. I want to use last_changed and last_changed_time fields..<BR /> Both are in different format<BR /> last_changed = %d.%m.%Y<BR /> last_changed_time = %H:%M:%S %p</P> <P>While defining sourcetype - Timestamp fields - last_changed,last_changed_time ... How to give timestamp format since 2 fields are present in timestamp fields? Please suggest!</P> Tue, 29 Sep 2020 11:41:18 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211404#M96217 k_harini 2020-09-29T11:41:18Z https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211405#M96218 <P>can you add some sample events?</P> Mon, 07 Nov 2016 13:18:20 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211405#M96218 niketn 2016-11-07T13:18:20Z https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211406#M96219 <P>Hi k_harini,<BR /> if you could share an example will be more efficient.<BR /> Every way, if you have something like this:<BR /> 01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM<BR /> and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this <CODE>%d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p</CODE></P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 11:46:18 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-Multiple-time-stamp-fields-in-props-file-sourcetype/m-p/211406#M96219 gcusello 2020-09-29T11:46:18Z