Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Overwrite timestamp with two variables
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pwjones89
Engager
05-21-2013
07:43 AM
I am attempting to overwrite the timestamp Splunk has assigned to each event, with a field which holds an events month, and another with its year. A modification to props.conf would be preferable compared to an inline change, as I would like to call earliest=@mon etc which I believe cannot be done with a _time=......
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
05-21-2013
07:58 AM
Splunk areadly does that for you.
Splunk has the following data time fields:
- date
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
Additional Reading:
Aboutdefaultfields
Hope this helps or gets you started. Dont forget to accept and vote up answers that help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pwjones89
Engager
05-21-2013
08:18 AM
There was an internal timestamp which was being used to overwrite _time, however that timestamp has been dropped in favour of aggregating events on a monthly basis. Hence why I am looking to base _time on the month and year fields within the data.
Currently I have modified the props.conf to include TIME_PREFIX and TIME_FORMAT options.
I will return will its success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
05-21-2013
08:05 AM
You should probably post a few sample events, and describe which part you want to change. Are you sure that this isn't more about getting Splunk to understand (better) the timestamp(s) already inside the event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
05-21-2013
07:58 AM
Splunk areadly does that for you.
Splunk has the following data time fields:
- date
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
Additional Reading:
Aboutdefaultfields
Hope this helps or gets you started. Dont forget to accept and vote up answers that help.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
