Solved: _time or time not being populated correctly from a...

clintla · ‎08-25-2016

Having issues getting time right.
My time is currently being populated by file creation time & not the 2nd column of the CSV file.

In troubleshooting, I've extracted time out a couple times.
DATE_ 2016-08-25 01:05:00 PM
extractDATE 2016-08-25 01:05:00 PM

but even though in props.conf, I've tried to assign either to the time value- it doesn't seem to have an effect after Splunk restart and addition of new files.

Props shows
TIMESTAMP_FIELDS = extractDATE

the time shows as
Time _time 2016-08-25T13:39:02.000-07:00

I've successfully assigned timestamp, but that doesn't show well in a timechart.
I've looked for other ways to assign @ search time such as an eval command to assign time, but that clobbers the time all together

Is there a manual way to assign time to a field in the GUI or at search time? hard to figure out what I'm doing wrong here.

clintla · ‎08-25-2016

I'm good.. used this command to re-assign that doesnt clobber the time

eval _time =strptime(timestamp,"%Y-%m-%d %H:%M:%S %P")

View solution in original post

clintla · ‎08-25-2016

I'm good.. used this command to re-assign that doesnt clobber the time

eval _time =strptime(timestamp,"%Y-%m-%d %H:%M:%S %P")

_time or time not being populated correctly from a CSV file

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

_time or time not being populated correctly from a CSV file

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...