Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingest Backdated Files in Splunk Using Event Report Time as Timeline Timestamp

uagraw01
Motivator
Sunday

Hello Splunkers!!

I have a set of backdated files that need to be ingested into Splunk. The requirement is that the event timestamp (report time) should be used as the event time, so that the data appears in the Splunk timeline under the corresponding historical period rather than the current ingestion time.

In the screenshot below, the event report time does not align with the index time. I would like the index time to match the event report time so that the data is accurately reflected in the Splunk timeline.

 

uagraw01_0-1766388529928.png


In my system I am using below setting:
inputs.conf

[monitor://D:\up_ticket_data\tbl_workorder_*.csv]
sourcetype = maximo_workorder
index = maximo_ts
disabled = false
crcSalt = <SOURCE>
#followTail = 0
charset = UTF-8

props.conf
[maximo_workorder]
INDEXED_EXTRACTIONS = csv
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_QUOTE = "
HEADER_FIELD_LINE_NUMBER = 1
CHARSET = UTF-8
TRUNCATE = 999999
TIME_PREFIX = REPORT_DATE,
TIME_FORMAT = %Y-%m-%d
MAX_TIMESTAMP_LOOKAHEAD = 10
TRANSFORMS-drop_header = remove_workorder_csv_header

I need expertise advise to get it fix.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

tscroggins
Influencer
yesterday

Hi @uagraw01,

Edit: Take @richgalloway's advice. My answer is from the perspective of a single instance. If you're forwarding data, the cooked event from INDEXED_EXTRACTIONS will bypass the receiver's parsing, agg, and typing queues. You can combine the two with force_local_processing on a universal forwarder, but it's not necessary here.

Timestamps are extracted from _raw during aggregation/merging, so you'll want to use a TIME_PREFIX value relative to the event text:

TIME_PREFIX = [+-]\d{2}:\d{2},[^,]+,
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %F %T%:z

The default MAX_DAYS_AGO value is 2000, but if your reports are older than that, you'll want to increase that value as well.

If you have a column named "_time" in your CSV file and the value is a Unix epoch time, that value will be the initial value for _time, and a second clean field named "time" without an underscore will be indexed with the original value; however, default timestamp extraction settings will still scan _raw for a timestamp. In your case, 2026-01-16 06:00:00+00:00 would be (or at least should be) extracted absent TIME_PREFIX and TIME_FORMAT settings, overriding any value found by INDEXED_EXTRACTIONS.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
yesterday

TIME_PREFIX is the wrong setting to use for CSV files.  Use TIMESTAMP_FIELDS, instead.

Also, the TIME_FORMAT setting should be "%Y-%m-%d %H:%M:%S to pick the time as well as the date of the events.

---
If this reply helps you, Karma would be appreciated.
Reply

uagraw01
Motivator
yesterday

Hi @richgalloway After accommodate suggested changes; still my files showing with the same index time in Splunk timeline graph.  Is there anything else I need to check or fix /

uagraw01_0-1766468697252.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
7 hours ago

It may help to enumerate the data fields rather than have Splunk extract them from the input file.  Use the FIELD_NAMES setting to do that.  See https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.0/configuration-file-referen...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...