Hello,
I wanted a EVAL statement which manually adds a specified time may be "00:00:00" for the event containing only date component in them.
Example of the file: (psv format)
Poojitha Vasanth|21644|669194|Poojitha Vasanth|02/19/18|PRE-CLINIC VISIT|
Current sourcetype:
[sample:xx:audit:psv]
EVAL-event_dt_tm = date
FIELD_NAMES = "prsnl_name","prsnl_alias","person_alias","person_name","date","event_name"
TIMESTAMP_FIELDS = "date"
And, I have modified it to.
EVAL-time = "00:00:00"
EVAL-event_dt_tm = date.time
FIELD_NAMES = "prsnl_name","prsnl_alias","person_alias","person_name","date","event_name"
TIMESTAMP_FIELDS = "date","time"
Even after this change, I am getting the ingested date and time and the actual log time.
Could anyone please let me know where I have gone wrong?
The TIMESTAMP_FIELDS setting applies only when INDEXED_EXTRACTIONS is used. If you use TIME_FORMAT = %d/%m/%y (assuming day,month,year format) then Splunk will set the time to 00:00:00.
Thanks @richgalloway . Appreciate your help!
The TIMESTAMP_FIELDS setting applies only when INDEXED_EXTRACTIONS is used. If you use TIME_FORMAT = %d/%m/%y (assuming day,month,year format) then Splunk will set the time to 00:00:00.