I have data where i get a date/timestamp as a string and an offset as a string from some API.
I manage to generate the _time field and it shows properly in the event view and stuff like time based drilldown (plus minus n seconds) works.
However only the field _time is available on the event and the date_hour etc fields do not show up, thus timechart etc won't work.
I tried to generate the timestamp subfields and append them to the event but they are not visible in Splunk.
What do i need to take care of to get proper events with a proper timestamp?
Just return _time as epoch.
One of the crude options in our case would be to overwrite _time with field_time. Provided field_time is time stored in string format. PS: The time format below is assuming string date time string is in YYYY/MM/DD HH:MM:SS format. You can use your own time formatting based on your exiisting field_time values.
| eval _time= strptime(field_time,"%Y/%m/%d %H:%M:S") | timechart ...
If field_time contains epoch time and not string time then direct assignment should work:
** | eval _time=field_time | timechart **...
Since identification of exact time for various event is most crucial for Splunk, ideally, _time should be parsed and identified directly during data ingestion for optimal performance and accurate results. Any modifications to _time field afterwards may lead to unwanted results and issues.
doh'
if i just send it as epoch its fine. Erm.