Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to strip actual event timestamp and add current system time as event timestamp

adityapavan18
Contributor
‎09-26-2012 07:50 AM

Hi All,
Is there a possible solution to strip the actual timestamp of the event and add current system time as event timestamp.

Scenario:
My timestamp of events for Syslog feed coming to my heavyforwarder is as 2012-09-28T14:36:53.000
All events are having milliseconds as zero always because the syslog generating server doesn't have capability to add milliseconds.

So i was thinking if it is possible to ignore that timestamp and add the current timestamp of the indexer when indexing the events.

Tags (1)
0 Karma
Reply

Ayn
Legend
‎09-26-2012 08:13 AM

Splunk uses the current system time as event timestamp as a last resort. See more here: http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

Theoretically you could setup bogus time extraction rules that would make Splunk not find a timestamp in the event, which would then cause it to look for a timestamp in other locations and then resort to the current system time. It's not pretty, but it could work.

But I don't get why you want to throw the whole timestamp away just because there are some milliseconds that you're not using at the end? What's wrong about that?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-26-2012 08:53 AM

You can force Splunk to just skip straight to current time by setting DATETIME_CONFIG = CURRENT in props.conf. You don't need bogus rules. But I agree with Ayn, I don't think this makes sense. You're not going to get the time of the event if you use server time, you're going to get the time it was processed by the server. This is pretty close to the real event time, but not likely to be accurate to the millisecond level, and the difference between that and actual event time is likely to be variable based on server and network load and latency.

Reply

adityapavan18
Contributor
‎09-26-2012 08:24 AM

The reason i want milliseconds..is to get proper transaction duration.If transaction completes in same second, duration shown would be 0 , instead of milliseconds..

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...