Hi,
I have a log that has a second counter inside it, 1 2...11... 3601...etc .
So data i have
1 Data XXYXX
2 Data XXYXX
5 Data XXYXX
11 Data XXYXX
3601 Date XXYY
etc...
The issues is the log can be given to Splunk on one GO, so it might get 20K links in the same few seconds So I can't use INDEX TIME (As i think it will put all the events into the same few seconds, i need the data to be spread using the seconds in the file)
So i need it to say 3600 seconds is 1 hour and give each event a different time stamp pending on the second counter.....
ALSO...to make it more complex :):):).
I don't want the time to go forward into the future — i would like it to start at the end and go backwards — or, set a negative 2 weeks as "0" and go forward...something like that... [Basally i don't want future events from now()]
What i want Splunk to see for TIMESTAMP (Assuming we go back to start of month or something like that)
01/11/2018 12:00:01 1 Data XXYXX
01/11/2018 12:00:02 2 Data XXYXX
01/11/2018 12:00:05 5 Data XXYXX
01/11/2018 12:00:11 11 Data XXYXX
01/11/2018 13:00:02 3601 Date XXYY
Any help would be super super stuff thanks
Cheers in Advance 🙂
Robbie
i think that for index time, youll have to use the datetime.xml
to achieve your goals.
you can do it easily at search time, example:
index=<your_index> sourcetype=<your_sourcetype>
| rex field=_raw "(?<seconds_counter>\d+)"
| eval _time = _time + seconds_counter
| more stats and evals to complete your search
hope it helps
Hi.
In fact i need this to add to a datamodel, so i need to do it on index time if possible.
interesting,
data models are search results ... why not create an eval field?
HI
This is what we did thanks.
In the datamodel we put in if(isnull(GC_TIMESTAMP),_time-2592000+relative_time,_time) .
So relative_time is the seconds and if no time stamp is there we go back 90 days and start from there.
cheers