Solved: Using a field within a log for the true timestamp

aferone · ‎09-01-2016

Here si the example log:

Sep 1 11:23:48 HOSTNAME netflow: timestamp=2016-08-30T12:51:07.593 duration=1.246 proto=6 srcip=1.1.1.1 srcport=80 dstip=2.2.2.2 dstport=62018 inpkt=5 inbyte=724 outpkt=6 outbyte=815 fl=2

The fieldname "timestamp" is the true timestamp of the event. The first date in the log is just when the netflow data was converted.

How do I use "timestamp" as the Splunk date/time? I know how to do timestamps when the times are the first part of the log, but not within it.

Thanks!

sundareshr · ‎09-01-2016

The below config in your props.conf on the indexer/hf should do the trick

[unique_stanza_name]
 TIME_PREFIX = timestamp=
 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N

Verify correct stanza name, restart splunk service on indexer. All new data will have this field value for _time

View solution in original post

sundareshr · ‎09-01-2016

The below config in your props.conf on the indexer/hf should do the trick

[unique_stanza_name]
 TIME_PREFIX = timestamp=
 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N

Verify correct stanza name, restart splunk service on indexer. All new data will have this field value for _time

aferone · ‎09-01-2016

Works like a champ! Thanks for responding!

Using a field within a log for the true timestamp

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes