Re: assign cron time to timestamp

yaaseensalie · ‎09-15-2020

Hi,

I have a rest call that runs every 24hours, and the number of events that are returned are in the region of +500 000 this obviously takes a few minutes to get everything into Splunk.

The problem is that the timestamps are completely out, I want all events to have the cron timestamp instead of the indexed time. I've tried

DATETIME_CONFIG = NONE

and I've tried

DATETIME_CONFIG = CURRENT

is there anything else I can try?

Thanks

ITWhisperer · ‎09-15-2020

Try overriding _time in your query

| eval _time=now()

Or perhaps

| eval start=now()

toward the beginning of your query, and

| eval _time=start

towards the end

yaaseensalie · ‎09-16-2020

Thanks @ITWhisperer for the reply

But The GET request takes a while to get the results into Splunk, I'm using these results to create a lookup. I would like to use the CRON time as my timestamp for my events, I don't want to override anything in SPL. I'm trying to find a solution which is during Index time and not Search Time.

assign cron time to timestamp

heavy forwarder

props.conf

time

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation