Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp=none

gcusello
Esteemed Legend
‎11-20-2015 03:26 AM

I acquired some logs from a scrip (close to ps.sh) with a timestamp correctly recognized at index time.
The problem is that the "timestamp" field is always equal to "none" so I cannot have the other date fields (date_wday, date_hour, etc...).
I tried to configure the TIMESTAMP_FORMAT but I always acquire events with "timestamp=none".
Anyone has any idea?
thank you in advance.
Bye.
Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 08:03 AM

When you use a scripted input the default is to use now as the timestamp so the usual timestamp normalization is not necessary, not done, and all the date* fileds are not created (which are ALWAYS WRONG anyway so they should NEVER be used; you should always create your own with eval date_whatever = strftime(_time, "whatever")). Additionally, in such a circumstance, a timestamp field set to value none is created. There is no need to configure anything; this is all normal. Your events (timestamps) are fine.

Also, see this Q&A about those fields (and how and why to create your own):
https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-20-2015 08:03 AM

When you use a scripted input the default is to use now as the timestamp so the usual timestamp normalization is not necessary, not done, and all the date* fileds are not created (which are ALWAYS WRONG anyway so they should NEVER be used; you should always create your own with eval date_whatever = strftime(_time, "whatever")). Additionally, in such a circumstance, a timestamp field set to value none is created. There is no need to configure anything; this is all normal. Your events (timestamps) are fine.

Also, see this Q&A about those fields (and how and why to create your own):
https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎11-20-2015 08:32 AM

Ok I extracted weekday and hours from _time using eval.
thank you.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...