First off, thank you all for taking the time to help out! I realize now that I could have been much more clear and informative with my question. I will attach a copy of a slightly edited version of my logs after going through the indexer:
2018-04-04 00:00:00.000, LoginHistory="11968096", Logon=" ", Action="1", Date="2018-04-04 00:00:00.0", Time="538", Terminal=" ", AudSID="508081017", User="18187", StationId="7797", Application="0", IsPINAttempt="0", AuditUser="18187", AuditStationId="7797"
Action = 1
Date = 2018-04-04 00:00:00.0
LoginHistory = 11968096
Logon =
Terminal =
Time = 538
host =
I am, likely obviously, new to Splunk. My overall objective is to have Splunk recognize event times as its own date time. I believe this variable is _time. It seems as though the suggested solution is to get my 'Time' field converted to seconds.
|makeresults count=3|eval duration='Time'*60|eval dateadded_epoch = strftime('Date',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval '_time' = strftime('date', "%Y-%m-%d %H:%M:%S")
This is what i think it should look like based on the suggestions but i have no idea how to apply that to the current index or if i am even using the right syntax.
... View more