Splunk Enterprise

Timeline picking up incorrect TimeStamp field from Windows Event Logs?

dvadithala
New Member

Hi,

I'm completely new to Splunk. Started using today, somethings are intuitive but I'm struggling with Timeline. I've loaded EventLogs from one of our Windows box. I've loaded them using "Data Input", "Files and Directory". It shows the event log data but there're two fields in the EventLogs:

  1. Server Restart TimeStamp
  2. Event TimeStamp

For some reason, Splunk is automatically pickup Server Restart TimeStamp but I wanted it to pick up Event TimeStamp. How do I change this?

Sorry, I've searched before asking but couldn't find anything relevant.

Thanks,
DV

Tags (2)
0 Karma

woodcock
Esteemed Legend

Set the TIME_PREFIX and TIME_FORMAT parameters.

0 Karma

dvadithala
New Member

Thank you. Set where? Sorry, I'm completely new and I'm Splunk Light without a forwarder.

Thanks,
DV

0 Karma

woodcock
Esteemed Legend

However you setup your input, there should have been settings with these names. Go back to Settings -> Data Inputs and find your input (or did you do a File Upload oneshot?) and edit it. You should be able to find these settings.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!