Solved: Timestamp with different field name?

travispowell · ‎04-28-2011

My timestamp is contained in a field called SESSION_TIMESTAMP. Is there a way I can map the Splunk "understood" timestamp to this already extracted field? Splunk keeps making up bizarre timestamps taking place in 2007.

(*Note: I'm using CSV extraction so it's a little more complicated than a regex or character look-ahead...)

Thanks

gkanapathy · ‎04-28-2011

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

View solution in original post

gkanapathy · ‎04-28-2011

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

travispowell · ‎04-29-2011

Gah, okay... thank you. I was hoping there would be something more elegant than this. 🙂

travispowell · ‎04-28-2011

i.e., I want to know if I can add something to a CONF file, SPLUNK_TIMESTAMP_NAME="SESSION_TIMESTAMP"

Timestamp with different field name?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Timestamp with different field name?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers