Getting Data In

How to assign _time value to another field which is already exist in the data with value?

Madhan45
Path Finder

I used below setting in props foe below sample data. But didn't help. Is that possible and how?

1.SEDCMD-Validated_time=sed "s/\"validated_time\":\"\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\",/\"validated_time\":\"_time\"/g"
2.SEDCMD-Validated_time=sed "s/\"validated_time\":\"\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\",/\"validated_time\":\"$_time\"/g"
3.SEDCMD-Validated_time=sed "s/\"validated_time\":\"\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\",/\"validated_time\":\"$_time$\"/g"

exam_date: 2018-01-19
details: { [-]
grade: NEUTRAL

occurrences: { [-]
"validated_time":" 2018-01-19 16:51:28"
}
}

Thanks in advance.

Tags (1)
0 Karma

valiquet
Contributor

|eval var=_time

0 Karma

FrankVl
Ultra Champion

I don't think SED commands can reference fields to build the replacement string.

What is your goal with this? Replacing a timestamp in the raw event with the content of _time? What is _time populated from and why would you want to override the raw event contents like this?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...