Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a proper timestamp on events?

dominiquevocat
SplunkTrust
SplunkTrust
‎11-30-2016 09:09 AM

I have data where i get a date/timestamp as a string and an offset as a string from some API.

I manage to generate the _time field and it shows properly in the event view and stuff like time based drilldown (plus minus n seconds) works.

However only the field _time is available on the event and the date_hour etc fields do not show up, thus timechart etc won't work.

I tried to generate the timestamp subfields and append them to the event but they are not visible in Splunk.

What do i need to take care of to get proper events with a proper timestamp?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-04-2016 11:21 AM

Just return _time as epoch.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-04-2016 11:21 AM

Just return _time as epoch.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-30-2016 10:28 AM

One of the crude options in our case would be to overwrite _time with field_time. Provided field_time is time stored in string format. PS: The time format below is assuming string date time string is in YYYY/MM/DD HH:MM:SS format. You can use your own time formatting based on your exiisting field_time values.
| eval _time= strptime(field_time,"%Y/%m/%d %H:%M:S") | timechart ...

If field_time contains epoch time and not string time then direct assignment should work:
** | eval _time=field_time | timechart **...

Since identification of exact time for various event is most crucial for Splunk, ideally, _time should be parsed and identified directly during data ingestion for optimal performance and accurate results. Any modifications to _time field afterwards may lead to unwanted results and issues.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-02-2016 08:57 AM

doh'

if i just send it as epoch its fine. Erm.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...