Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to set a timestamp to year value only?

franciscog
Engager
‎09-15-2017 12:31 PM

Hey everyone, i know Splunk is only for machine data, but I was trying to use it for some other non-machine data that only provides the year as the time-stamp. Is there any way to configure the time-stamp to only use the year format? No, month, day, hour or the like. I was looking at editing the props.conf file but i'm not really sure what i would put in the time format section. Could someone help me figure this out please or let me know if it is impossible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-15-2017 03:04 PM

@franciscog - FYI, no, Splunk is not ONLY for machine data. It is merely optimized for machine log data. Reading on this site, there is no limit to the number of interesting things people are doing with it. You can load your love letters in here and do NLP on them.

0 Karma
Reply
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

Reply
Solved! Jump to solution

franciscog
Engager
‎09-15-2017 01:07 PM

Thank you for the reply. I think I will just end up using a dummy month and day to hack it together in my command instead of editing the props.conf

|eval _time=strptime(Year."01"."01","%Y%m%d")|timechart

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...