Solved: Overwrite timestamp with two variables

pwjones89 · ‎05-21-2013

I am attempting to overwrite the timestamp Splunk has assigned to each event, with a field which holds an events month, and another with its year. A modification to props.conf would be preferable compared to an inline change, as I would like to call earliest=@mon etc which I believe cannot be done with a _time=......

Thanks.

bmacias84 · ‎05-21-2013

Splunk areadly does that for you.

Splunk has the following data time fields:

date
date_hour
date_mday
date_minute
date_month
date_second
date_wday
date_year
date_zone

Additional Reading:
Aboutdefaultfields

Hope this helps or gets you started. Dont forget to accept and vote up answers that help.

View solution in original post

pwjones89 · ‎05-21-2013

There was an internal timestamp which was being used to overwrite _time, however that timestamp has been dropped in favour of aggregating events on a monthly basis. Hence why I am looking to base _time on the month and year fields within the data.
Currently I have modified the props.conf to include TIME_PREFIX and TIME_FORMAT options.
I will return will its success.

kristian_kolb · ‎05-21-2013

You should probably post a few sample events, and describe which part you want to change. Are you sure that this isn't more about getting Splunk to understand (better) the timestamp(s) already inside the event.

bmacias84 · ‎05-21-2013

Splunk areadly does that for you.

Splunk has the following data time fields:

date
date_hour
date_mday
date_minute
date_month
date_second
date_wday
date_year
date_zone

Additional Reading:
Aboutdefaultfields

Hope this helps or gets you started. Dont forget to accept and vote up answers that help.

Overwrite timestamp with two variables

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann