https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537340#M151898 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230905">@janesh22</a>,</P><P><SPAN>You can use TIME_PREFIX and TIME_FORMAT like below;</SPAN></P><LI-CODE lang="markup">[report_sourcetype] TIME_PREFIX = ReportID\=\w\d{3}_ TIME_FORMAT = %m%d%y.%H%M</LI-CODE> Wed, 27 Jan 2021 04:32:12 GMT scelikok 2021-01-27T04:32:12Z https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537338#M151896 <P>Hi ,&nbsp;</P><P>I have a report that is ingested in splunk. Due to the report format not correctly ingested by splunk, I had done some preprocessing of the report and named reportfile.rep and picked up by splunk every 15 mins. This report is delayed almost 40 minutes(as the processing and transferring of data takes time) , so the time stamp indexed by splunk is around 40 minutes delayed from the report. example:</P><P>&nbsp;</P><P><STRONG><U>sample file:</U></STRONG></P><P>reportfile.rep</P><P>ReportID=a004_012721.1400,Queue=xxx,AgentList=xxxx</P><P>ReportID=a004_012721.1400,Queue=xxx</P><P>&nbsp;</P><P>_time =&nbsp;<SPAN>2021-01-27T14:40:04.000+11:00</SPAN></P><P>So report was for 14:00 however _time is 14:40.&nbsp;</P><P>Is there anyway I can overwrite _time value to be picked up from the report file.&nbsp;</P><P>I had seen some examples in splunk answers using transforms.conf and props.conf. However this is based on using the actual file name and not the content inside the file.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Jan 2021 03:57:34 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537338#M151896 janesh22 2021-01-27T03:57:34Z https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537340#M151898 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230905">@janesh22</a>,</P><P><SPAN>You can use TIME_PREFIX and TIME_FORMAT like below;</SPAN></P><LI-CODE lang="markup">[report_sourcetype] TIME_PREFIX = ReportID\=\w\d{3}_ TIME_FORMAT = %m%d%y.%H%M</LI-CODE> Wed, 27 Jan 2021 04:32:12 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537340#M151898 scelikok 2021-01-27T04:32:12Z https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537345#M151901 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>So do I just add these in props.conf and restart splunk to enable it?&nbsp;</P><P>&nbsp;</P> Wed, 27 Jan 2021 05:18:32 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537345#M151901 janesh22 2021-01-27T05:18:32Z https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537347#M151903 <P>You're welcome&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230905">@janesh22</a>,</P><P>If you are running standalone Splunk it should be enough. If you are getting these reports using Universal Formarder, you should put this to indexers.</P><P>Please do not forget to change stanza name "report_sourcetype" with your real sourcetype.</P> Wed, 27 Jan 2021 05:26:58 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537347#M151903 scelikok 2021-01-27T05:26:58Z https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537516#M151966 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>I had added the below to proc.conf with the sourcetype name, however it still does not seem to be picking up the time . I had tried restarting the splunk as well.&nbsp;</P><P>Does this show up in any logs , if it is actually checking the conf file ?&nbsp;</P><P>Regards</P><P>Janesh&nbsp;</P> Thu, 28 Jan 2021 01:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-change-time-based-on-time-within-data-that-is-ingested/m-p/537516#M151966 janesh22 2021-01-28T01:11:25Z