How to use TIME_PREFIX to extract Timestamp for th...

kiran331 · ‎04-03-2018

How to Extract the timestamp (Date: in below screenshot) which is in UTC format and convert to CST format? current timestamp is indexing timestamp.

sravankaripe · ‎04-05-2018

[ _json ]
BREAK_ONLY_BEFORE={"preview"
pulldown_type=true
TIME_PREFIX=\s\\"date\\":\s+\\"

sravankaripe · ‎04-05-2018

Try this or above stanza

[ _json ]
BREAK_ONLY_BEFORE={"preview"
TIME_PREFIX=\s\\"date\\":\s+\\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S+%N:%N
TRUNCATE=9999999

davpx · ‎04-04-2018

TIME_PREFIX = timestamp:\s+
TIME_FORMAT = %s

in props.conf

kiran331 · ‎04-05-2018

I tried it din't work.

splunker12er · ‎04-03-2018

yoursearch| eval CST_time=_time-21600| convert ctime(CST_time)|table CST_time , _time

yoursearch| eval CST_time=now()-21600| convert ctime(CST_time)|table CST_time , _time

Central Standard Time (CST) is 6 hours behind Coordinated Universal Time (UTC).
where your _time is UTC

kiran331 · ‎04-04-2018

Is there a way to do it at indexing time?

How to use TIME_PREFIX to extract Timestamp for the JSON logs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation