Solved: How to generate a proper timestamp on events?

dominiquevocat · ‎11-30-2016

I have data where i get a date/timestamp as a string and an offset as a string from some API.

I manage to generate the _time field and it shows properly in the event view and stuff like time based drilldown (plus minus n seconds) works.

However only the field _time is available on the event and the date_hour etc fields do not show up, thus timechart etc won't work.

I tried to generate the timestamp subfields and append them to the event but they are not visible in Splunk.

What do i need to take care of to get proper events with a proper timestamp?

dominiquevocat · ‎12-04-2016

Just return _time as epoch.

View solution in original post

dominiquevocat · ‎12-04-2016

Just return _time as epoch.

niketn · ‎11-30-2016

One of the crude options in our case would be to overwrite _time with field_time. Provided field_time is time stored in string format. PS: The time format below is assuming string date time string is in YYYY/MM/DD HH:MM:SS format. You can use your own time formatting based on your exiisting field_time values.
| eval _time= strptime(field_time,"%Y/%m/%d %H:%M:S") | timechart ...

If field_time contains epoch time and not string time then direct assignment should work:
** | eval _time=field_time | timechart **...

Since identification of exact time for various event is most crucial for Splunk, ideally, _time should be parsed and identified directly during data ingestion for optimal performance and accurate results. Any modifications to _time field afterwards may lead to unwanted results and issues.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dominiquevocat · ‎12-02-2016

doh'

if i just send it as epoch its fine. Erm.

How to generate a proper timestamp on events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!