Solved: Is it possible to link Timestamp from data to Time...

Shadolu · ‎04-04-2022

Is it possible to search base on the Timestamp from the Column than the _time of ingestion

I'm using dB connect not the "add Data"

Since ill be using this in Dashboard, I'm Very new in splunk

rohit1793 · ‎04-04-2022

Hi @Shadolu ,

[<spec>]
TIME_PREFIX = Timestamp --change as per your raw data 
MAX_TIMESTAMP_LOOKAHEAD = 21 
TIME_FORMAT = write regex as per your data , if timestamp is start of your event[%Y-%m-%d %H:%M:%S.%Z]

Yes this is possible, you have to change the parameter in props.conf file. let's say you have data coming in xyz sourcetype, you have to Add above parameter.

Rohit Joshi
Splunk Architect

View solution in original post

rohit1793 · ‎04-04-2022

Hi @Shadolu ,

[<spec>]
TIME_PREFIX = Timestamp --change as per your raw data 
MAX_TIMESTAMP_LOOKAHEAD = 21 
TIME_FORMAT = write regex as per your data , if timestamp is start of your event[%Y-%m-%d %H:%M:%S.%Z]

Yes this is possible, you have to change the parameter in props.conf file. let's say you have data coming in xyz sourcetype, you have to Add above parameter.

Rohit Joshi
Splunk Architect

Is it possible to link Timestamp from data to Time picker?

configuration

dashboard

development

search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation