Solved: Re: Best practice when the timestamp is an integer

splunker-0625 · ‎01-11-2023

Hi experts,

have .CSV file that timestamp is quite a simple integer and its incremental like 1,2,3,,,,

I want to know how to convert the time column(1,2,3,4,,,,) to any time format that would begin from Jan 1st, 2023 for example.

Does anyone have a great idea for it in props.conf?

Time	AAA	BBB	CCC	DDD
1	1073	29.9360008	121.446498	75
2	1074	29.9360008	121.600296	75
3	1078	29.9360008	122.417319	75

PickleRick · ‎01-11-2023

What would that number mean?

Either use appropriate format like just %d to let splunk assume rest of the fields by default (I'm not too sure though that it will work good across month's end; I think you could be ingesting events with the wrong month) or ingest this field raw and then use INGEST_EVAL to calculate a resulting date.

View solution in original post

PickleRick · ‎01-11-2023

What would that number mean?

Either use appropriate format like just %d to let splunk assume rest of the fields by default (I'm not too sure though that it will work good across month's end; I think you could be ingesting events with the wrong month) or ingest this field raw and then use INGEST_EVAL to calculate a resulting date.

What are best practices when the timestamp is an integer?

props.conf

transforms.conf

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...