Solved: Change timestamp of input data during indexing

ashabc · ‎08-01-2017

I have a simple file that is generated by a script for which I do not have a control. The content of the file is like below

{
  "total": 15615
}
{
  "limit": 32250
}

Splunk can parse data well using sourcetype=json_no_timestamp
As a default the timestamp for the indexed data is the current system time

Is there a way I can modify the date time for this particular input (I am using file monitor)? I would like the date stamp to be 1 day behind than the current system time, as data in the file actually represents yesterday's information and not today's.

sbbadri · ‎08-01-2017

@ashabc
try this,

you need to do this in the indexer

props.conf

[your sourcetypename]
EVAL-newDate = _time
EVAL-newDate1 = newDate - 86400
EVAL-_time = strftime(newDate1,"%Y-%m-%d %H:%M:%S")

I hope this helps

View solution in original post

sbbadri · ‎08-01-2017

@ashabc
try this,

you need to do this in the indexer

props.conf

[your sourcetypename]
EVAL-newDate = _time
EVAL-newDate1 = newDate - 86400
EVAL-_time = strftime(newDate1,"%Y-%m-%d %H:%M:%S")

I hope this helps

ashabc · ‎08-01-2017

Thank you so much for such a prompt response. I tried this in props.conf, and it appears that splunk does not recognise time format any more after applying this conversion in props.conf for this sourcetype

Could this be because of strftime converts timestamp to string?

ashabc · ‎08-01-2017

Actually I got it working using a search time modifier

eval _time=_time-86400

Thank you for pointing me to the right direction.

Change timestamp of input data during indexing

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off