How can I overwrite _time upon inserting data into...

sccheah82 · ‎03-01-2023

I have data dated "2-14-2022".

When I insert the data into Splunk today, the _time becomes "3-2-2023".

How can I overwrite _time to preserve the value as "2-14-2022" even though I insert the data at "3-2-2023", without creating an additional field to store the snapshot of datetime?

The reason I would like to do that is because

(1) I can leverage on the Splunk Time Range selector to limit my search query, instead of creating the time range selector myself.

(2) I observed the query turnaround time is faster if we limit the data by earliest=1677686400 latest=1677980130 (2.2 seconds query turnaround time) than using start_date & end_date that are associated to the custom input fields that I created (*194 seconds query turnaround time).

tscroggins · ‎03-12-2023

@sccheah82

Hi,

If you're uploading data through Splunk Web, you can adjust line breaking and timestamp extraction on the Set Source Type page.

2-14-2022 Example one.
 2-14-2022 Example two with leading space.
(empty line)

Note that very old events (> 900 days by default but perhaps earlier in your environment) may be quarantined (written to a separate bucket), and depending on your environment's retention settings, may not remain online for as long as you'd hoped. Check with your Splunk administrator for your environment's specific characteristics.

How can I overwrite _time upon inserting data into Splunk?

search

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?