Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a proper timestamp on events?

dominiquevocat
SplunkTrust
SplunkTrust
‎11-30-2016 09:09 AM

I have data where i get a date/timestamp as a string and an offset as a string from some API.

I manage to generate the _time field and it shows properly in the event view and stuff like time based drilldown (plus minus n seconds) works.

However only the field _time is available on the event and the date_hour etc fields do not show up, thus timechart etc won't work.

I tried to generate the timestamp subfields and append them to the event but they are not visible in Splunk.

What do i need to take care of to get proper events with a proper timestamp?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-04-2016 11:21 AM

Just return _time as epoch.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-04-2016 11:21 AM

Just return _time as epoch.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-30-2016 10:28 AM

One of the crude options in our case would be to overwrite _time with field_time. Provided field_time is time stored in string format. PS: The time format below is assuming string date time string is in YYYY/MM/DD HH:MM:SS format. You can use your own time formatting based on your exiisting field_time values.
| eval _time= strptime(field_time,"%Y/%m/%d %H:%M:S") | timechart ...

If field_time contains epoch time and not string time then direct assignment should work:
** | eval _time=field_time | timechart **...

Since identification of exact time for various event is most crucial for Splunk, ideally, _time should be parsed and identified directly during data ingestion for optimal performance and accurate results. Any modifications to _time field afterwards may lead to unwanted results and issues.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎12-02-2016 08:57 AM

doh'

if i just send it as epoch its fine. Erm.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...