Change timestamp and making it effective

davidjehoul · ‎03-01-2013

Hi,
I'm trying to redefine the timestamp for my resource that contains data as follows:

DBInit-27,21/02/2013 9:28:26,22/02/2013 16:30:16,0,R_1812,0,Netscape3.0,0,0,3,172.21.0.132,172.21.0.132,ohm-web-7.9.0-SNAPSHOT (6f5d6 - 2013-02-26 13:58:14),20130301_110723,1/03/2013 11:12:38,1/03/2013 11:12:45,7,True,DAVIDJ-3500,x86,4

By default, the timestamp that is extracted is the first one that it encounters, being 21/02/2013 9:28:26 in this case. However, I want to make the timestamp to be 1/03/2013 11:12:38 (the one before the last timestamp). For this, I added the following in C:\Program Files\Splunk\etc\apps\search\default\props.conf:

[source::C:\\Temp\\testResultLog.csv] TIME_PREFIX = \d{8}_\d{6}, TIME_FORMAT = %d/%m/%y %H:%M:%S

The regex matches 20130301_110723, expecting to define the timestamp as I desire, as is explained in the manual.
Unfortunately, this has no effect; I tried to stop and start splunk; did a source="C:\\Temp\\testResultLog.csv" | extract reload=T; all to no effect ..

Thanks!

Ayn · ‎03-01-2013

Timestamp extraction takes place at index-time, and as such changes to this will not apply to data that has already been indexed. You need to reindex your data.

Change timestamp and making it effective

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7