- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting timestamp out of records
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have system records which are in following format
RECORD_DATE=20130124145912|NAME=XYZ|PHONE=XXXXX|
Normally there is delay of 2-3 hours before these records reach Splunk server.
Splunk is displaying reports based on the time it receives records, can I configure Splunk to build all reports based on RECORD_DATE?
RECORD_DATE is in YYYYMMMDDHHMMSS format.
I have use strftime function for some of my reports, but this doesn't work for timeline.
strftime(strptime(RECORD_DATE ,"%Y%m%d%H%M"),"%Y-%m-%d %H:%M")
I want Splunk to use RECORD_DATE for timeline
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your statement is not entirely true. The Real-time search is the only portion that streams live/continous view of events, which I dont think you are using. When you run a search that does not include real-time you are just running report. Splunk will extracted _time from your log/event at time of index based on your props.conf. If you want Splunk to use the RECORD_DATE for your events timestamp you need to configure you props.conf for that source/sourcetype on your indexers.
#props.conf stanza example (only an example)
[RECORD]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=38
TIME_PREFIX=RECORD_DATE=
TIME_FORMAT="%Y%m%d%H%M"
Additional Reading:
Hope this help you or gets you started. Dont forget to vote and accept answers that help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your statement is not entirely true. The Real-time search is the only portion that streams live/continous view of events, which I dont think you are using. When you run a search that does not include real-time you are just running report. Splunk will extracted _time from your log/event at time of index based on your props.conf. If you want Splunk to use the RECORD_DATE for your events timestamp you need to configure you props.conf for that source/sourcetype on your indexers.
#props.conf stanza example (only an example)
[RECORD]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=38
TIME_PREFIX=RECORD_DATE=
TIME_FORMAT="%Y%m%d%H%M"
Additional Reading:
Hope this help you or gets you started. Dont forget to vote and accept answers that help.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
