Correcting timestamp with ingest-time eval?

PickleRick · ‎12-07-2021

I have a quite unusual case. One of my sources emits logs with a very stupid timestamp format. It consists of a date and time glued together, which on its own is quite ok, but followed with a timezone info in form of time difference vs UTC expressed... in minutes.

So it's not your typical "+0200". No. It's "+120". There's no such timezone format in your strptime format specification so I have to do it some other way. Since _time is crucial to the proper event processing, of course I have to adjust it in ingest time.

I thought about parsing the offset from the timestamp as an independent field and then correcting the _time field before indexing the event. Does it make sense? I don't see any other way of producing correct timestamp from such data.

isoutamo · ‎12-07-2021

Hi
That should work. If I recall right there are somewhere this kind of examples for using ingest time eval.
R. Ismo

PickleRick · ‎12-07-2021

Thx for confirmation. 🙂

isoutamo · ‎12-08-2021

It was this what I refer https://conf.splunk.com/files/2020/slides/PLA1154C.pdf and

4. Configuration to Demultiplex Conflicting Time Formats

Correcting timestamp with ingest-time eval?

summary indexing

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...