Splunk Enterprise
Highlighted

Timeline picking up incorrect TimeStamp field from Windows Event Logs?

New Member

Hi,

I'm completely new to Splunk. Started using today, somethings are intuitive but I'm struggling with Timeline. I've loaded EventLogs from one of our Windows box. I've loaded them using "Data Input", "Files and Directory". It shows the event log data but there're two fields in the EventLogs:

  1. Server Restart TimeStamp
  2. Event TimeStamp

For some reason, Splunk is automatically pickup Server Restart TimeStamp but I wanted it to pick up Event TimeStamp. How do I change this?

Sorry, I've searched before asking but couldn't find anything relevant.

Thanks,
DV

Tags (2)
0 Karma
Highlighted

Re: Timeline picking up incorrect TimeStamp field from Windows Event Logs?

Esteemed Legend

Set the TIME_PREFIX and TIME_FORMAT parameters.

0 Karma
Highlighted

Re: Timeline picking up incorrect TimeStamp field from Windows Event Logs?

New Member

Thank you. Set where? Sorry, I'm completely new and I'm Splunk Light without a forwarder.

Thanks,
DV

0 Karma
Highlighted

Re: Timeline picking up incorrect TimeStamp field from Windows Event Logs?

Esteemed Legend

However you setup your input, there should have been settings with these names. Go back to Settings -> Data Inputs and find your input (or did you do a File Upload oneshot?) and edit it. You should be able to find these settings.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.