Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can we modify a wrong timestamp?

attgjh1
Communicator
‎06-07-2012 12:25 AM

the default _time are actually at the time of indexing. however my logs have another time string which i have to separately extract now.

e.g

_time Date Time

05/06/2012 13:19:00.000 7/24/2011 1:47:05

basically im trying to create a timechart but span=1h seems to only affect _time. Any one has encountered such a situation before? I wan to apply it to "Time" field at the very least?

or is there any way to change _time to reflect the new time.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-07-2012 12:34 AM

Do you want to:

  • Permanently change the _time value for events that are already in the index? That cannot be done.
  • Configure Splunk to properly recognize the timestamp so that _time will contain the correct timestamp in the future? Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
  • Just temporarily set the _time value to something else? That could be done by using eval before running timechart. I could update my answer with more details on how to do this if this is what you want to do.

UPDATE: So, if you want to go with option 3, you could do something like what I show below. I'm assuming that your fields called what you specified "Date" and "Time".

... | eval mytime=Date." ".Time | eval _time=strptime(mytime,"%m/%d/%Y %H:%M:%S") | timechart ...

After you've done the eval, the _time field that will be picked up by timechart is the one you just extracted from the Date and Time fields, instead of the actual timestamp that Splunk put on the event.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-07-2012 12:34 AM

Do you want to:

  • Permanently change the _time value for events that are already in the index? That cannot be done.
  • Configure Splunk to properly recognize the timestamp so that _time will contain the correct timestamp in the future? Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
  • Just temporarily set the _time value to something else? That could be done by using eval before running timechart. I could update my answer with more details on how to do this if this is what you want to do.

UPDATE: So, if you want to go with option 3, you could do something like what I show below. I'm assuming that your fields called what you specified "Date" and "Time".

... | eval mytime=Date." ".Time | eval _time=strptime(mytime,"%m/%d/%Y %H:%M:%S") | timechart ...

After you've done the eval, the _time field that will be picked up by timechart is the one you just extracted from the Date and Time fields, instead of the actual timestamp that Splunk put on the event.

Reply
Solved! Jump to solution

attgjh1
Communicator
‎06-07-2012 05:39 PM

Thanks alot.

Here's a cookie.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-07-2012 02:26 AM

Exactly, you're overwriting the _time field with eval.

If the _time field is empty after running eval that's because the strptime expression couldn't be applied successfully. You need to check that the format from the mytime field matches the strptime format string.

0 Karma
Reply
Solved! Jump to solution

imanpoeiri
Communicator
‎07-20-2015 01:38 AM

you just received a cookie!

0 Karma
Reply
Solved! Jump to solution

attgjh1
Communicator
‎06-07-2012 01:41 AM

thanks. i sort of understand your suggestion. im under the assumption that _time can be overwritten with eval?

hmm. ive tried it but it didnt work.here is my regex and my search line:

rex "(?i)^(?P[\d/]*) (?P

somehow _time is now blank fields but i have the fields extracted correctly.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-07-2012 01:19 AM

Updated my answer.

0 Karma
Reply
Solved! Jump to solution

attgjh1
Communicator
‎06-07-2012 12:57 AM

as long as i can walk around a solution to sort them hourly. still working a way around it cuz span works only on _time. 😕

is there a way to trick splunk to work and display a chart using Time Date instead? (probably something like ur 3rd suggestion which i have yet figure out how ) 😞

thanks alot!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top