Solved: Change timestamp of input data during indexing

ashabc · ‎08-01-2017

I have a simple file that is generated by a script for which I do not have a control. The content of the file is like below

{
  "total": 15615
}
{
  "limit": 32250
}

Splunk can parse data well using sourcetype=json_no_timestamp
As a default the timestamp for the indexed data is the current system time

Is there a way I can modify the date time for this particular input (I am using file monitor)? I would like the date stamp to be 1 day behind than the current system time, as data in the file actually represents yesterday's information and not today's.

sbbadri · ‎08-01-2017

@ashabc
try this,

you need to do this in the indexer

props.conf

[your sourcetypename]
EVAL-newDate = _time
EVAL-newDate1 = newDate - 86400
EVAL-_time = strftime(newDate1,"%Y-%m-%d %H:%M:%S")

I hope this helps

View solution in original post

sbbadri · ‎08-01-2017

@ashabc
try this,

you need to do this in the indexer

props.conf

[your sourcetypename]
EVAL-newDate = _time
EVAL-newDate1 = newDate - 86400
EVAL-_time = strftime(newDate1,"%Y-%m-%d %H:%M:%S")

I hope this helps

ashabc · ‎08-01-2017

Thank you so much for such a prompt response. I tried this in props.conf, and it appears that splunk does not recognise time format any more after applying this conversion in props.conf for this sourcetype

Could this be because of strftime converts timestamp to string?

ashabc · ‎08-01-2017

Actually I got it working using a search time modifier

eval _time=_time-86400

Thank you for pointing me to the right direction.

Change timestamp of input data during indexing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation