Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to set a timestamp to year value only?

franciscog
Engager
‎09-15-2017 12:31 PM

Hey everyone, i know Splunk is only for machine data, but I was trying to use it for some other non-machine data that only provides the year as the time-stamp. Is there any way to configure the time-stamp to only use the year format? No, month, day, hour or the like. I was looking at editing the props.conf file but i'm not really sure what i would put in the time format section. Could someone help me figure this out please or let me know if it is impossible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-15-2017 03:04 PM

@franciscog - FYI, no, Splunk is not ONLY for machine data. It is merely optimized for machine log data. Reading on this site, there is no limit to the number of interesting things people are doing with it. You can load your love letters in here and do NLP on them.

0 Karma
Reply
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-15-2017 12:58 PM

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

Reply
Solved! Jump to solution

franciscog
Engager
‎09-15-2017 01:07 PM

Thank you for the reply. I think I will just end up using a dummy month and day to hack it together in my command instead of editing the props.conf

|eval _time=strptime(Year."01"."01","%Y%m%d")|timechart

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...