Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you add a timestamp onto a log that has a second counter in the log?

robertlynch2020
Influencer
‎11-22-2018 06:17 AM

Hi,

I have a log that has a second counter inside it, 1 2...11... 3601...etc .

So data i have
1 Data XXYXX
2 Data XXYXX
5 Data XXYXX
11 Data XXYXX
3601 Date XXYY
etc...

The issues is the log can be given to Splunk on one GO, so it might get 20K links in the same few seconds So I can't use INDEX TIME (As i think it will put all the events into the same few seconds, i need the data to be spread using the seconds in the file)

So i need it to say 3600 seconds is 1 hour and give each event a different time stamp pending on the second counter.....

ALSO...to make it more complex :):):).

I don't want the time to go forward into the future — i would like it to start at the end and go backwards — or, set a negative 2 weeks as "0" and go forward...something like that... [Basally i don't want future events from now()]

What i want Splunk to see for TIMESTAMP (Assuming we go back to start of month or something like that)

01/11/2018 12:00:01 1 Data XXYXX
01/11/2018 12:00:02 2 Data XXYXX
01/11/2018 12:00:05 5 Data XXYXX
01/11/2018 12:00:11 11 Data XXYXX
01/11/2018 13:00:02 3601 Date XXYY

Any help would be super super stuff thanks

Cheers in Advance 🙂
Robbie

0 Karma
Reply

adonio
Ultra Champion
‎11-22-2018 07:45 AM

i think that for index time, youll have to use the datetime.xml to achieve your goals.
you can do it easily at search time, example:

index=<your_index> sourcetype=<your_sourcetype>
| rex field=_raw "(?<seconds_counter>\d+)"
| eval _time = _time + seconds_counter
| more stats and evals to complete your search

hope it helps

0 Karma
Reply

robertlynch2020
Influencer
‎11-22-2018 04:03 PM

Hi.

In fact i need this to add to a datamodel, so i need to do it on index time if possible.

0 Karma
Reply

adonio
Ultra Champion
‎11-22-2018 05:31 PM

interesting,
data models are search results ... why not create an eval field?

0 Karma
Reply

robertlynch2020
Influencer
‎11-26-2018 10:01 AM

HI

This is what we did thanks.
In the datamodel we put in if(isnull(GC_TIMESTAMP),_time-2592000+relative_time,_time) .

So relative_time is the seconds and if no time stamp is there we go back 90 days and start from there.

cheers

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...