Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set custom user provided timestamp as the Splunk timestamp while logging to Splunk?

abhishek_singh
Loves-to-Learn
‎04-03-2023 12:05 PM

I have a use case in which our user sends us logs in batches in which each individual logs have their own timestamp(when they would have occurred), which we then log individually to the splunk using serilog.sinks.splunk in .net 6.

What we are trying to do is replace the automatically generated logging time in splunk with the original timestamp that we received from our user.

Is this possible in splunk ? and if so then how.

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2023 01:24 PM

Create a props.conf on your indexers to do the Magic8:
https://kinneygroup.com/blog/splunk-magic-8-props-conf/

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 06:38 AM

Between reading data from the source and writing it to Splunk using serilog.sinks.splunk, you can do anything you want, including replacing the event timestamp.

Be sure the Splunk sourcetype for the data has settings to properly find and interpret the new timestamp. (Don't use DATETIME_CONFIG = current, for example).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

abhishek_singh
Loves-to-Learn
‎04-04-2023 06:47 AM


@richgalloway : My apologies if this is a trivial question i am quite new to splunkWhere is this setting for DATETIME_CONFIG present and how can we edit it. Can we do this on the fly using the  serilog.sinks.splunk.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 08:56 AM

DATETIME_CONFIG is one of many settings available in props.conf files on your indexers and heavy forwarders (if any).  It's unlikely it can be set using serilog.sinks.splunk.

See https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#:~:text=Timestamp%20extraction%20...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top