Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to set a timestamp to year value only?

franciscog
Engager
‎09-15-2017 12:31 PM

Hey everyone, i know Splunk is only for machine data, but I was trying to use it for some other non-machine data that only provides the year as the time-stamp. Is there any way to configure the time-stamp to only use the year format? No, month, day, hour or the like. I was looking at editing the props.conf file but i'm not really sure what i would put in the time format section. Could someone help me figure this out please or let me know if it is impossible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-15-2017 03:04 PM

@franciscog - FYI, no, Splunk is not ONLY for machine data. It is merely optimized for machine log data. Reading on this site, there is no limit to the number of interesting things people are doing with it. You can load your love letters in here and do NLP on them.

0 Karma
Reply
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

Reply
Solved! Jump to solution

franciscog
Engager
‎09-15-2017 01:07 PM

Thank you for the reply. I think I will just end up using a dummy month and day to hack it together in my command instead of editing the props.conf

|eval _time=strptime(Year."01"."01","%Y%m%d")|timechart

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...