How do I add the year dynamically to an event with...

JackNobrega · ‎05-01-2015

I have a timestamp that needs to be fixed. It doesn't have a year in the timestamp. Example Apr 30 16:40:08. How do I dynamically fix this so Splunk can index it correctly?

stephane_cyrill · ‎05-01-2015

Hi this will help.

docs.splunk.com/Documentation/Splunk/6.2.2/Data/Configuretimestamprecognition

To configure how Splunk Enterprise recognizes timestamps, edit
props.conf . There are a number of attributes that pertain to
timestamps. In particular, you can determine how Splunk Enterprise
recognizes a timestamp by using the TIME_FORMAT attribute to specify
a strptime() format for the timestamp. You can also set other
attributes pertaining to timestamps; for example, to specify where a
timestamp is located in an event, what time zone to use, or how to
deal with timestamps of varying currency.

How do I add the year dynamically to an event with a timestamp that doesn't have one?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How do I add the year dynamically to an event with a timestamp that doesn't have one?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?