Solved: Timestamp with different field name?

travispowell · ‎04-28-2011

My timestamp is contained in a field called SESSION_TIMESTAMP. Is there a way I can map the Splunk "understood" timestamp to this already extracted field? Splunk keeps making up bizarre timestamps taking place in 2007.

(*Note: I'm using CSV extraction so it's a little more complicated than a regex or character look-ahead...)

Thanks

gkanapathy · ‎04-28-2011

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

View solution in original post

gkanapathy · ‎04-28-2011

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

travispowell · ‎04-29-2011

Gah, okay... thank you. I was hoping there would be something more elegant than this. 🙂

travispowell · ‎04-28-2011

i.e., I want to know if I can add something to a CONF file, SPLUNK_TIMESTAMP_NAME="SESSION_TIMESTAMP"

Timestamp with different field name?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor