All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I overwrite _time upon inserting data into Splunk?

sccheah82
Explorer
‎03-01-2023 05:58 PM

I have data dated "2-14-2022". 

When I insert the data into Splunk today, the _time becomes "3-2-2023".

How can I overwrite _time to preserve the value as "2-14-2022" even though I insert the data at "3-2-2023", without creating an additional field to store the snapshot of datetime?

The reason I would like to do that is because

(1) I can leverage on the Splunk Time Range selector to limit my search query, instead of creating the time range selector myself.

(2) I observed the query turnaround time is faster if we limit the data by earliest=1677686400 latest=1677980130  (2.2 seconds query turnaround time) than using start_date & end_date that are associated to the custom input fields that I created (*194 seconds query turnaround time).

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-12-2023 01:02 PM

@sccheah82 

Hi,

If you're uploading data through Splunk Web, you can adjust line breaking and timestamp extraction on the Set Source Type page.

2-14-2022 Example one.
 2-14-2022 Example two with leading space.
(empty line)

tscroggins_0-1678650711585.png

Note that very old events (> 900 days by default but perhaps earlier in your environment) may be quarantined (written to a separate bucket), and depending on your environment's retention settings, may not remain online for as long as you'd hoped. Check with your Splunk administrator for your environment's specific characteristics.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...