All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I overwrite _time upon inserting data into Splunk?

sccheah82
Explorer
‎03-01-2023 05:58 PM

I have data dated "2-14-2022". 

When I insert the data into Splunk today, the _time becomes "3-2-2023".

How can I overwrite _time to preserve the value as "2-14-2022" even though I insert the data at "3-2-2023", without creating an additional field to store the snapshot of datetime?

The reason I would like to do that is because

(1) I can leverage on the Splunk Time Range selector to limit my search query, instead of creating the time range selector myself.

(2) I observed the query turnaround time is faster if we limit the data by earliest=1677686400 latest=1677980130  (2.2 seconds query turnaround time) than using start_date & end_date that are associated to the custom input fields that I created (*194 seconds query turnaround time).

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-12-2023 01:02 PM

@sccheah82 

Hi,

If you're uploading data through Splunk Web, you can adjust line breaking and timestamp extraction on the Set Source Type page.

2-14-2022 Example one.
 2-14-2022 Example two with leading space.
(empty line)

tscroggins_0-1678650711585.png

Note that very old events (> 900 days by default but perhaps earlier in your environment) may be quarantined (written to a separate bucket), and depending on your environment's retention settings, may not remain online for as long as you'd hoped. Check with your Splunk administrator for your environment's specific characteristics.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...