Splunk Enterprise

How to enable Splunk to set the time of an event based on a condition during indexation?


My event will be as follows:

#2020-01-01;12:00:00#2020-01-01;12:00:00#content on the event. 

#2020-01-01;12:00:01#1970-01-01;00:00:00#content on the event. 

I have configured my sourcetype to pick the time highlighted in orange as the time of the event during indexation; however, sometimes in our logs we have the time recorded with a date starting with 1970, Splunk doesn't recognize it because of max days ago limit. In such cases, is there a possibility to add a condition to fetch the date in Blue as the date of the event?

P.S: I can change the _time of the event in search head but, I'm trying for a solution that will index the events directly with Blue time as the time of the event, when there is 1970 in orange time.

0 Karma


@manikanta461 assuming whenever you get 1970 date it is always1970-01-01;00:00:00. You can use SEDCMD through props.conf or REGEX through transforms.conf to find starting date and hardcoded 1970-01-01;00:00:00. Replace whenever hardcoded 1970-01-01;00:00:00 is found.

Something like the following which captures 1st group as first date value and 2nd group as 1970-01-01;00:00:00. All you have to do is replace \2 with \1


Refer to the anonymization documentation which in your case you can use for replacement of capturing group 1 instead of 2 whenever hardcoded 1970 date is found.


Following is a run anywhere example to demo how this works. Second row has 1970 event as per your question.


| makeresults 
| eval _raw="#2020-01-01;12:00:00#2020-01-01;12:00:00#content on the event1." 
| append 
    [| makeresults 
    | eval _raw="#2020-01-01;12:00:00#1970-01-01;00:00:00#content on the event1."] 
| rex mode=sed "s/^(#[^#]+)(\#1970-01-01;00:00:00)/\1\1/g"


| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...