assign cron time to timestamp

yaaseensalie · ‎09-15-2020

Hi,

I have a rest call that runs every 24hours, and the number of events that are returned are in the region of +500 000 this obviously takes a few minutes to get everything into Splunk.

The problem is that the timestamps are completely out, I want all events to have the cron timestamp instead of the indexed time. I've tried

DATETIME_CONFIG = NONE

and I've tried

DATETIME_CONFIG = CURRENT

is there anything else I can try?

Thanks

ITWhisperer · ‎09-15-2020

Try overriding _time in your query

| eval _time=now()

Or perhaps

| eval start=now()

toward the beginning of your query, and

| eval _time=start

towards the end

yaaseensalie · ‎09-16-2020

Thanks @ITWhisperer for the reply

But The GET request takes a while to get the results into Splunk, I'm using these results to create a lookup. I would like to use the CRON time as my timestamp for my events, I don't want to override anything in SPL. I'm trying to find a solution which is during Index time and not Search Time.

assign cron time to timestamp

heavy forwarder

props.conf

time

universal forwarder

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

assign cron time to timestamp

heavy forwarder

props.conf

time

universal forwarder

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...