Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp with different field name?

travispowell
Path Finder
‎04-28-2011 04:39 PM

My timestamp is contained in a field called SESSION_TIMESTAMP. Is there a way I can map the Splunk "understood" timestamp to this already extracted field? Splunk keeps making up bizarre timestamps taking place in 2007.

(*Note: I'm using CSV extraction so it's a little more complicated than a regex or character look-ahead...)

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2011 07:41 PM

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2011 07:41 PM

You can simply use TIME_PREFIX and TIME_FORMAT. TIME_PREFIX specifies a regex that occurs before the timestamp. At the time of indexing, Splunk does not care whether your line is part of a CSV file. For example, if the field is the fourth field, you might use

TIME_PREFIX = ^(?:[^,]*,){3}

and the TIME_FORMAT as appropriate.

Reply
Solved! Jump to solution

travispowell
Path Finder
‎04-29-2011 08:50 AM

Gah, okay... thank you. I was hoping there would be something more elegant than this. 🙂

0 Karma
Reply
Solved! Jump to solution

travispowell
Path Finder
‎04-28-2011 04:40 PM

i.e., I want to know if I can add something to a CONF file, SPLUNK_TIMESTAMP_NAME="SESSION_TIMESTAMP"

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...