My timestamp is contained in a field called SESSION_TIMESTAMP. Is there a way I can map the Splunk "understood" timestamp to this already extracted field? Splunk keeps making up bizarre timestamps taking place in 2007.
(*Note: I'm using CSV extraction so it's a little more complicated than a regex or character look-ahead...)
Thanks
You can simply use TIME_PREFIX
and TIME_FORMAT
. TIME_PREFIX
specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use
TIME_PREFIX = ^(?:[^,]*,){3}
and the TIME_FORMAT
as appropriate.
You can simply use TIME_PREFIX
and TIME_FORMAT
. TIME_PREFIX
specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use
TIME_PREFIX = ^(?:[^,]*,){3}
and the TIME_FORMAT
as appropriate.
Gah, okay... thank you. I was hoping there would be something more elegant than this. 🙂
i.e., I want to know if I can add something to a CONF file, SPLUNK_TIMESTAMP_NAME="SESSION_TIMESTAMP"