Getting Data In

Is it possible to set a timestamp to year value only?

franciscog
Engager

Hey everyone, i know Splunk is only for machine data, but I was trying to use it for some other non-machine data that only provides the year as the time-stamp. Is there any way to configure the time-stamp to only use the year format? No, month, day, hour or the like. I was looking at editing the props.conf file but i'm not really sure what i would put in the time format section. Could someone help me figure this out please or let me know if it is impossible?

0 Karma
1 Solution

jluo_splunk
Splunk Employee
Splunk Employee

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

@franciscog - FYI, no, Splunk is not ONLY for machine data. It is merely optimized for machine log data. Reading on this site, there is no limit to the number of interesting things people are doing with it. You can load your love letters in here and do NLP on them.

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

When you extract the time out of a raw event inside of splunk, it will convert the timestamp into it's epoch time equivalent. With that said - there must be a month, day, year, etc.

You could allow it to ingest the data with a dummy timestamp, and then extract the year by hand for later use, and disregard the timestamp stored.

franciscog
Engager

Thank you for the reply. I think I will just end up using a dummy month and day to hack it together in my command instead of editing the props.conf

|eval _time=strptime(Year."01"."01","%Y%m%d")|timechart

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...