Solved: Is it possible to link Timestamp from data to Time...

Shadolu · ‎04-04-2022

Is it possible to search base on the Timestamp from the Column than the _time of ingestion

I'm using dB connect not the "add Data"

Since ill be using this in Dashboard, I'm Very new in splunk

rohit1793 · ‎04-04-2022

Hi @Shadolu ,

[<spec>]
TIME_PREFIX = Timestamp --change as per your raw data 
MAX_TIMESTAMP_LOOKAHEAD = 21 
TIME_FORMAT = write regex as per your data , if timestamp is start of your event[%Y-%m-%d %H:%M:%S.%Z]

Yes this is possible, you have to change the parameter in props.conf file. let's say you have data coming in xyz sourcetype, you have to Add above parameter.

Rohit Joshi
Splunk Architect

View solution in original post

rohit1793 · ‎04-04-2022

Hi @Shadolu ,

[<spec>]
TIME_PREFIX = Timestamp --change as per your raw data 
MAX_TIMESTAMP_LOOKAHEAD = 21 
TIME_FORMAT = write regex as per your data , if timestamp is start of your event[%Y-%m-%d %H:%M:%S.%Z]

Yes this is possible, you have to change the parameter in props.conf file. let's say you have data coming in xyz sourcetype, you have to Add above parameter.

Rohit Joshi
Splunk Architect

Is it possible to link Timestamp from data to Time picker?

configuration

dashboard

development

other

search

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!