Hello,
I wanted a EVAL statement which manually adds a specified time may be "00:00:00" for the event containing only date component in them.
Example of the file: (psv format)
Poojitha Vasanth|21644|669194|Poojitha Vasanth|02/19/18|PRE-CLINIC VISIT|
Current sourcetype:
[sample:xx:audit:psv]
EVAL-event_dt_tm = date FIELD_NAMES = "prsnl_name","prsnl_alias","person_alias","person_name","date","event_name" TIMESTAMP_FIELDS = "date"
And, I have modified it to.
EVAL-time = "00:00:00" EVAL-event_dt_tm = date.time FIELD_NAMES = "prsnl_name","prsnl_alias","person_alias","person_name","date","event_name" TIMESTAMP_FIELDS = "date","time"
Even after this change, I am getting the ingested date and time and the actual log time.
Could anyone please let me know where I have gone wrong?
... View more